🛡️ AWS Account Root User credentials were used is the last 30 days🟢

Contextual name: 🛡️ Root User credentials were used is the last 30 days🟢
ID: /ce/ca/aws/iam/root-account-used-recently
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS IAM User
- 🔌 AWS IAM User - credReport.extracts.yaml
- 🔌 AWS IAM User - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: Root Account Credentials Usage
Internal: dec-x-e58fd8e0

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-e58fd8e0	1

Description

Open File

Description

Verify that the AWS root account credentials have not been used to access your AWS account in the past 30 days. Root account credentials should not be used for day-to-day operations, including administrative tasks. Instead, assign appropriate permissions to individual IAM users or roles to limit dependency on the root account.

Rationale

The AWS root account has unrestricted access to all resources in the AWS environment. Routine use of the root account increases the risk of accidental or intentional misuse, which could result in data breaches, resource compromise, or loss of account control. By ensuring root user credentials are only used for critical administrative tasks (e.g., billing or account setup), organizations can reduce security risks and adhere to best practices for least-privilege access.

Additionally, frequent root account usage can undermine auditing efforts and make it difficult to track accountability.

Impact

May require additional administrative effort to configure and maintain IAM roles and secure workflows.

... see more

Remediation

Open File

Remediation

Ensure all root account usage is necessary, logged, and secured. For any non-critical tasks, use IAM roles or users.

Consider implementing these steps to effectively minimize the use of root account credentials and enhance the security of your AWS account.

From Command Line

Enable MFA for the root account (if not already enabled)

Create the virtual device entity in IAM to represent a virtual MFA device:
aws iam create-virtual-mfa-device \
--virtual-mfa-device-name {{mfa-device-name}} \
--outfile {{filepath}} \
--bootstrap-method {{bootstrap-method}}
Enable an MFA device for use with AWS:
aws iam enable-mfa-device \
--user-name root \
--serial-number {{mfa-device-arn}} \
--authentication-code1 123456 \
--authentication-code2 789012
Create and use IAM roles for administrative tasks

Define and assign roles with specific permissions instead of relying on root user credentials:
aws iam create-role --role-name {{admin-role}} --assume-role-policy-document file://{{trust-policy}}.json
aws iam attach-role-policy --role-name {{admin-role}} --policy-arn {{arn:aws:iam::aws:policy/admin-access}}

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 16c information security operations and administration;		4	4	no data
💼 APRA CPG 234 → 💼 67e users with privileged access accounts subject to a greater level of monitoring in light of the heightened risks involved.		1	1	no data
💼 CIS AWS v1.2.0 → 💼 1.1 Avoid the use of the "root" account		1	1	no data
💼 CIS AWS v1.3.0 → 💼 1.7 Eliminate use of the root user for administrative and daily tasks		1	1	no data
💼 CIS AWS v1.4.0 → 💼 1.7 Eliminate use of the 'root' user for administrative and daily tasks		1	1	no data
💼 CIS AWS v1.5.0 → 💼 1.7 Eliminate use of the 'root' user for administrative and daily tasks - Level 1 (Automated)		1	1	no data
💼 CIS AWS v2.0.0 → 💼 1.7 Eliminate use of the 'root' user for administrative and daily tasks - Level 1 (Manual)		1	1	no data
💼 CIS AWS v3.0.0 → 💼 1.7 Eliminate use of the 'root' user for administrative and daily tasks - Level 1 (Manual)		1	1	no data
💼 CIS AWS v4.0.0 → 💼 1.7 Eliminate use of the 'root' user for administrative and daily tasks (Manual)			1	no data
💼 CIS AWS v4.0.1 → 💼 1.7 Eliminate use of the 'root' user for administrative and daily tasks (Manual)			1	no data
💼 CIS AWS v5.0.0 → 💼 1.6 Eliminate use of the 'root' user for administrative and daily tasks (Manual)			1	no data
💼 CIS AWS v6.0.0 → 💼 2.6 Eliminate use of the 'root' user for administrative and daily tasks (Manual)			1	no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management			18	no data
💼 FedRAMP High Security Controls → 💼 AC-2(7) Privileged User Accounts (M)(H)		6	7	no data
💼 FedRAMP High Security Controls → 💼 AC-2(9) Restrictions on Use of Shared and Group Accounts (M)(H)		2	2	no data
💼 FedRAMP High Security Controls → 💼 AC-6(1) Authorize Access to Security Functions (M)(H)		4	4	no data
💼 FedRAMP High Security Controls → 💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)		1	5	no data
💼 FedRAMP High Security Controls → 💼 AC-6(5) Privileged Accounts (M)(H)		3	5	no data
💼 FedRAMP High Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)	6	14	32	no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	51	no data
💼 FedRAMP Low Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)	1		32	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(7) Privileged User Accounts (M)(H)			7	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(9) Restrictions on Use of Shared and Group Accounts (M)(H)			2	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(1) Authorize Access to Security Functions (M)(H)			4	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)			5	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(5) Privileged Accounts (M)(H)			5	no data
💼 FedRAMP Moderate Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)	4		32	no data
💼 GDPR → 💼 Art. 30 Records of processing activities		2	3	no data
💼 GDPR → 💼 Art. 32 Security of processing		5	5	no data
💼 ISO/IEC 27001:2013 → 💼 A.9.2.2 User access provisioning		4	4	no data
💼 ISO/IEC 27001:2013 → 💼 A.9.3.1 Use of secret authentication information		3	3	no data
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control		14	31	no data
💼 ISO/IEC 27001:2022 → 💼 8.2 Privileged access rights		7	10	no data
💼 NIST CSF v1.1 → 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes		19	34	no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56	no data
💼 NIST CSF v1.1 → 💼 PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)		19	23	no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91	no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			42	no data
💼 NIST CSF v2.0 → 💼 PR.AA-03: Users, services, and hardware are authenticated			53	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142	no data
💼 NIST SP 800-53 Revision 4 → 💼 AC-5 SEPARATION OF DUTIES		3	4	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(7) Account Management _ Privileged User Accounts		1	1	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions		4	5	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(5) Least Privilege _ Privileged Accounts		3	3	no data
💼 PCI DSS v3.2.1 → 💼 8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.		2	2	no data
💼 PCI DSS v3.2.1 → 💼 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods.	1	1	2	no data
💼 PCI DSS v4.0.1 → 💼 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.			2	no data
💼 PCI DSS v4.0.1 → 💼 8.2.2 Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis.			2	no data
💼 PCI DSS v4.0 → 💼 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.			2	no data
💼 PCI DSS v4.0 → 💼 8.2.2 Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis.		2	2	no data
💼 SOC 2 → 💼 CC6.1-8 Manages Identification and Authentication		18	24	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Impact​

Remediation​

Remediation​

From Command Line​

Enable MFA for the root account (if not already enabled)​

Create and use IAM roles for administrative tasks​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Impact

Remediation

Remediation

From Command Line

Enable MFA for the root account (if not already enabled)

Create and use IAM roles for administrative tasks

policy.yaml

Linked Framework Sections