Skip to main content

πŸ›‘οΈ AWS Account Root User has active access keys🟒

  • Contextual name: πŸ›‘οΈ Account Root User has active access keys🟒
  • ID: /ce/ca/aws/iam/delete-root-user-access-keys
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-0a7801fb1

Description​

Open File

Description​

The root user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root user account be deleted.

Rationale​

Deleting access keys associated with the root user account limits vectors by which the account can be compromised. Additionally, deleting the root access keys encourages the creation and use of role based accounts that are least privileged.

Audit​

Perform the following to determine if the root user account has access keys:

From Console​
  1. Login to the AWS Management Console.
  2. Click Services.
  3. Click IAM.
  4. Click on Credential Report.
  5. This will download a .csv file which contains credential usage for all IAM users within an AWS Account - open this file.
  6. For the <root_account> user, ensure the access_key_1_active and access_key_2_active fields are set to FALSE.
From Command Line​

Run the following command:

aws iam get-account-summary | grep "AccountAccessKeysPresent"

... [see more](description.md)

Remediation​

Open File

Remediation​

Perform the following to delete active root user access keys.

From Console​

  1. Sign in to the AWS Management Console as root and open the IAM console at https://console.aws.amazon.com/iam/.
  2. Click on <root_account> at the top right and select My Security Credentials from the drop down list.
  3. On the pop out screen Click on Continue to Security Credentials.
  4. Click on Access Keys (Access Key ID and Secret Access Key).
  5. If there are active keys, under Status, click Delete (Note: Deleted keys cannot be recovered).

Note: While a key can be made inactive, this inactive key will still show up in the CLI command from the audit procedure, and may lead to a key being falsely flagged as being non-compliant.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 47c segregation of duty controls which prevent personnel from deploying their own software changes to production;55no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό c. prohibiting sharing of accounts and passwords (with the possible exception of generic accounts, where prohibiting sharing of accounts and passwords is unavoidable due to technology constraints);11no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.4] IAM root user access key should not exist11no data
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.12 Ensure no root account access key exists11no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.4 Ensure no root user account access key exists11no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.4 Ensure no 'root' user account access key exists11no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.4 Ensure no 'root' user account access key exists - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.4 Ensure no 'root' user account access key exists - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.4 Ensure no 'root' user account access key exists - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.4 Ensure no 'root' user account access key exists (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.4 Ensure no 'root' user account access key exists (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.3 Ensure no 'root' user account access key exists (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 2.3 Ensure no 'root' user account access key exists (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(9) Restrictions on Use of Shared and Group Accounts (M)(H)22no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3767no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81156no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)14no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(5) Privileged Accounts (M)(H)35no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)13no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)67no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(9) Restrictions on Use of Shared and Group Accounts (M)(H)2no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)67no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)656no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)4no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(5) Privileged Accounts (M)(H)5no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)3no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 32 Security of processing55no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.1.2 Access to networks and network services1718no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1126no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1430no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.2 Privileged access rights710no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1023no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.4 Access to source code821no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1752no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1528no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1631no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4766no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties91no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected118no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected98no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected112no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT544no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management416no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(7) Access Enforcement _ Role-based Access Control14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control11no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102349no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions44no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(5) Least Privilege _ Privileged Accounts33no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(10) Least Privilege _ Prohibit Non-privileged Users from Executing Privileged Functions2no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.18no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.5330no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.2.1 Coverage of all system components.7no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods.112no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.1 Configuration standards are developed, implemented, and maintained.11no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.2 Vendor default accounts are managed.8no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.7no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.2.2 Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis.2no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.1 Configuration standards are developed, implemented, and maintained.11no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.2 Vendor default accounts are managed.8no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.7no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.2.2 Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis.22no data