Root Account Should Not Have Access Keys

More Info:

Root account has full permissions across the entire account. Root account should not have access keys. Also, it certainly shouldn’t access any service. Instead, create IAM users with predefined roles.

Risk Level

Critical

Address

Security

Compliance Standards

HIPAA, ISO27001, PCIDSS, GDPR, NIST, SOC2, CISAWS, CBP, HITRUST, AWSWAF, NISTCSF, FedRAMP

Triage and Remediation

How to Prevent

Using Console

Using CLI

To prevent the root account from having access keys in AWS IAM using the AWS CLI, you can follow these steps:

Check for Existing Access Keys: First, you need to check if there are any access keys associated with the root account. This can be done by listing the access keys for the root user.
```
aws iam list-access-keys --user-name root
```
Delete Existing Access Keys: If there are any access keys associated with the root account, you should delete them. Replace ACCESS_KEY_ID with the actual access key ID you want to delete.
```
aws iam delete-access-key --user-name root --access-key-id ACCESS_KEY_ID
```
Create an IAM User for Administrative Tasks: Instead of using the root account, create an IAM user with administrative privileges. This user will be used for tasks that require elevated permissions.
```
aws iam create-user --user-name AdminUser
aws iam attach-user-policy --user-name AdminUser --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
```
Enable MFA for Root Account: To further secure the root account, enable Multi-Factor Authentication (MFA). This step doesn’t directly involve the CLI but is a best practice to ensure the root account is secure.
```
aws iam enable-mfa-device --user-name root --serial-number arn:aws:iam::123456789012:mfa/root-account-mfa-device --authentication-code1 123456 --authentication-code2 789012
```

By following these steps, you can ensure that the root account does not have access keys, and you can use an IAM user with administrative privileges for necessary tasks.

Using Python

To prevent the root account from having access keys in IAM using Python scripts, you can use the AWS SDK for Python (Boto3). Here are the steps to achieve this:

Install Boto3: Ensure you have Boto3 installed in your Python environment. You can install it using pip if you haven’t already:
```
pip install boto3
```

Create a Boto3 Session: Initialize a Boto3 session with the necessary credentials and region information.

import boto3

session = boto3.Session(
    aws_access_key_id='YOUR_ACCESS_KEY',
    aws_secret_access_key='YOUR_SECRET_KEY',
    region_name='YOUR_REGION'
)

Check for Root Access Keys: Use the IAM client to list access keys for the root account and ensure no access keys exist.

iam_client = session.client('iam')

# List access keys for the root account
response = iam_client.list_access_keys(UserName='root')

# Check if any access keys exist
if response['AccessKeyMetadata']:
    print("Root account has access keys. Please remove them.")
else:
    print("Root account does not have any access keys.")

Automate the Check and Preventive Action: You can automate this check to run periodically and alert or take action if access keys are found.

import boto3
from botocore.exceptions import NoCredentialsError, PartialCredentialsError

def check_root_access_keys():
    try:
        session = boto3.Session(
            aws_access_key_id='YOUR_ACCESS_KEY',
            aws_secret_access_key='YOUR_SECRET_KEY',
            region_name='YOUR_REGION'
        )
        iam_client = session.client('iam')

        # List access keys for the root account
        response = iam_client.list_access_keys(UserName='root')

        # Check if any access keys exist
        if response['AccessKeyMetadata']:
            print("Root account has access keys. Please remove them.")
            # Optionally, you can add code here to delete the keys automatically
            # for key in response['AccessKeyMetadata']:
            #     iam_client.delete_access_key(UserName='root', AccessKeyId=key['AccessKeyId'])
        else:
            print("Root account does not have any access keys.")
    except (NoCredentialsError, PartialCredentialsError) as e:
        print(f"Error: {e}")

# Run the check
check_root_access_keys()

This script will help you ensure that the root account does not have any access keys, thereby preventing potential security risks associated with root account access keys.

Additional Reading:

https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Root Account Should Not Have Access Keys

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading: