IAM Root User Should Not Have Access Keys Rule
This rule specifies that the IAM root user must not have access keys for security reasons.
| Rule | IAM root user should not have access keys |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
IAM Root User Access Key Policy for FedRAMP Low Revision 4
Overview
Under the Federal Risk and Authorization Management Program (FedRAMP) Low Impact Security Controls Baseline Revision 4, it is recommended that the AWS Identity and Access Management (IAM) root user should not have access keys associated with it. The root user has full access to all resources in the AWS account and its use should be limited and monitored carefully. Access keys provide programmatic access to a given AWS account, and if compromised, they could give an attacker unfettered access to an organization's cloud resources.
Rationale
The root user's credentials are the most powerful credentials in your AWS account. Ensuring that the root user does not have access keys mitigates the risk of unauthorized access due to compromised programmatic credentials.
Remediation Steps
Step 1: Detect if Root User Has Access Keys
To check whether the root user has access keys, you can use the AWS Management Console or AWS CLI.
Using AWS Management Console
- 1.Sign in to the AWS Management Console with appropriate permissions.
- 2.Navigate to the IAM dashboard.
- 3.In the IAM dashboard, look for the IAM root user at the top of the navigation pane.
- 4.Click on the root user to see the security credentials.
Using AWS CLI
Execute the following command to list the access keys associated with the root user:
aws iam list-access-keys --user-name root
Step 2: Delete Root User Access Keys
If access keys exist, the following measures should be taken to remove the keys:
Using AWS Management Console
- 1.In the IAM dashboard, click on the root user.
- 2.In the security credentials section, locate the
section.Access keys - 3.For each access key, click on
and confirm the deletion.Delete
Using AWS CLI
Execute the following command for each access key associated with the root user:
aws iam delete-access-key --access-key-id <ACCESS_KEY_ID> --user-name root
Replace
<ACCESS_KEY_ID>Step 3: Monitor and Audit Root User Activity
To ensure ongoing compliance with the FedRAMP Low Revision 4 requirement, it's also critical to monitor and audit root user activity.
- 1.Enable AWS CloudTrail to track every action taken by the root user.
- 2.Review CloudTrail logs or set up CloudWatch alarms for root user activity.
- 3.Set up AWS Config rules to regularly check for compliance with security policies.
Best Practices
- Use IAM roles and users with the least privilege necessary.
- Regularly rotate credentials for IAM users.
- Establish multi-factor authentication (MFA) for the root user.
- Reserve root user only for tasks that require full administrative rights.
- Regularly review IAM policies and access.
Please note that while these remediation steps can help you ensure the root user does not have access keys, they should be implemented as part of a broader security strategy to ensure compliance with FedRAMP standards.