Ensure no 'root' user account access key exists

The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged. Note: Government cloud accounts do not have a root user, and so, should exclude this rule in the CloudGuard UI -> Posture Management -> Exclusions -> Create New Exclusion (for each relevant ruleset)

Risk Level: High
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.16
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

IamUser where name regexMatch /^<root_account>$/ should have firstAccessKey.isActive=false and secondAccessKey.isActive=false

REMEDIATION

From Portal
Perform the following to delete or disable active root access keys being Via the AWS Console:

  1. Sign in to the AWS Management Console as Root and open the IAM console at https://console.aws.amazon.com/iam/.
  2. Click on <Root_Account_Name> at the top right and select Security Credentials from the drop down list
  3. On the pop out screen Click on Continue to Security Credentials
  4. Click on Access Keys (Access Key ID and Secret Access Key)
  5. Under the Status column if there are any Keys which are Active
    5.1. Click on Make Inactive - (Temporarily disable Key - may be needed again)
    5.2. Click Delete - (Deleted keys cannot be recovered)

From TF

resource "aws_iam_access_key" "positive1" {
	+ user    = "root"
	- id = "some_id_that_exists"
	+ status = "Inactive"
}

From Command Line
To delete active root access keys, run:

aws iam delete-access-key --access-key-id ACCESS_KEY_ID --user-name USERNAME

References

  1. https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html
  2. https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
  3. https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys
  4. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • AWS CIS Foundations v. 1.0.0
  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset