Skip to main content

More Info:

Root account has full permissions across the entire account. Root account should not have access keys. Also, it certainly shouldn’t access any service. Instead, create IAM users with predefined roles.

Risk Level

Critical

Address

Security

Compliance Standards

HIPAA, ISO27001, PCIDSS, GDPR, NIST, SOC2, CISAWS, CBP, HITRUST, AWSWAF, NISTCSF, FedRAMP

Triage and Remediation

  • Prevention
  • Cause
  • Remediation

How to Prevent

Using Console

To prevent the root account from having access keys in AWS IAM using the AWS Management Console, follow these steps:
  1. Sign in to the AWS Management Console:
  2. Navigate to the IAM Dashboard:
    • In the AWS Management Console, click on the “Services” menu at the top of the page.
    • Under “Security, Identity, & Compliance,” select “IAM” to open the IAM Dashboard.
  3. Access the Root Account Security Settings:
    • In the IAM Dashboard, look for the “Security Status” section.
    • Click on the “Manage security credentials” link next to the “Root account” label. This will take you to the “Security Credentials” page for the root account.
  4. Check and Delete Access Keys:
    • On the “Security Credentials” page, scroll down to the “Access keys” section.
    • If there are any active access keys listed, click on the “Delete” button next to each key to remove them.
    • Confirm the deletion when prompted to ensure that the root account no longer has any access keys.
By following these steps, you can ensure that the root account does not have any access keys, thereby enhancing the security of your AWS environment.
To prevent the root account from having access keys in AWS IAM using the AWS CLI, you can follow these steps:
  1. Check for Existing Access Keys: First, you need to check if there are any access keys associated with the root account. This can be done by listing the access keys for the root user. 
    aws iam list-access-keys --user-name root
  2. Delete Existing Access Keys: If there are any access keys associated with the root account, you should delete them. Replace ACCESS_KEY_ID with the actual access key ID you want to delete. 
    aws iam delete-access-key --user-name root --access-key-id ACCESS_KEY_ID
  3. Create an IAM User for Administrative Tasks: Instead of using the root account, create an IAM user with administrative privileges. This user will be used for tasks that require elevated permissions. 
    aws iam create-user --user-name AdminUser
aws iam attach-user-policy --user-name AdminUser --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
  4. Enable MFA for Root Account: To further secure the root account, enable Multi-Factor Authentication (MFA). This step doesn’t directly involve the CLI but is a best practice to ensure the root account is secure. 
    aws iam enable-mfa-device --user-name root --serial-number arn:aws:iam::123456789012:mfa/root-account-mfa-device --authentication-code1 123456 --authentication-code2 789012
By following these steps, you can ensure that the root account does not have access keys, and you can use an IAM user with administrative privileges for necessary tasks.
To prevent the root account from having access keys in IAM using Python scripts, you can use the AWS SDK for Python (Boto3). Here are the steps to achieve this:
  1. Install Boto3: Ensure you have Boto3 installed in your Python environment. You can install it using pip if you haven’t already: 
    pip install boto3
  2. Create a Boto3 Session: Initialize a Boto3 session with the necessary credentials and region information. 
    import boto3

session = boto3.Session(
    aws_access_key_id='YOUR_ACCESS_KEY',
    aws_secret_access_key='YOUR_SECRET_KEY',
    region_name='YOUR_REGION'
)
  3. Check for Root Access Keys: Use the IAM client to list access keys for the root account and ensure no access keys exist. 
    iam_client = session.client('iam')

# List access keys for the root account
response = iam_client.list_access_keys(UserName='root')

# Check if any access keys exist
if response['AccessKeyMetadata']:
    print("Root account has access keys. Please remove them.")
else:
    print("Root account does not have any access keys.")
  4. Automate the Check and Preventive Action: You can automate this check to run periodically and alert or take action if access keys are found. 
    import boto3
from botocore.exceptions import NoCredentialsError, PartialCredentialsError

def check_root_access_keys():
    try:
        session = boto3.Session(
            aws_access_key_id='YOUR_ACCESS_KEY',
            aws_secret_access_key='YOUR_SECRET_KEY',
            region_name='YOUR_REGION'
        )
        iam_client = session.client('iam')

        # List access keys for the root account
        response = iam_client.list_access_keys(UserName='root')

        # Check if any access keys exist
        if response['AccessKeyMetadata']:
            print("Root account has access keys. Please remove them.")
            # Optionally, you can add code here to delete the keys automatically
            # for key in response['AccessKeyMetadata']:
            #     iam_client.delete_access_key(UserName='root', AccessKeyId=key['AccessKeyId'])
        else:
            print("Root account does not have any access keys.")
    except (NoCredentialsError, PartialCredentialsError) as e:
        print(f"Error: {e}")

# Run the check
check_root_access_keys()
This script will help you ensure that the root account does not have any access keys, thereby preventing potential security risks associated with root account access keys.

Additional Reading:

I