> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Root Account Should Not Have Access Keys

### More Info:

Root account has full permissions across the entire account. Root account should not have access keys. Also, it certainly shouldn't access any service. Instead, create IAM users with predefined roles.

### Risk Level

Critical

### Address

Security

### Compliance Standards

HIPAA, ISO27001, PCIDSS, GDPR, NIST, SOC2, CISAWS, CBP, HITRUST, AWSWAF, NISTCSF, FedRAMP

### Triage and Remediation

<Tabs>
  <Tab title="Prevention">
    ### How to Prevent

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To prevent the root account from having access keys in AWS IAM using the AWS Management Console, follow these steps:

        1. **Sign in to the AWS Management Console:**
           * Open the AWS Management Console at [https://aws.amazon.com/console/](https://aws.amazon.com/console/).
           * Sign in using your root account credentials.

        2. **Navigate to the IAM Dashboard:**
           * In the AWS Management Console, click on the "Services" menu at the top of the page.
           * Under "Security, Identity, & Compliance," select "IAM" to open the IAM Dashboard.

        3. **Access the Root Account Security Settings:**
           * In the IAM Dashboard, look for the "Security Status" section.
           * Click on the "Manage security credentials" link next to the "Root account" label. This will take you to the "Security Credentials" page for the root account.

        4. **Check and Delete Access Keys:**
           * On the "Security Credentials" page, scroll down to the "Access keys" section.
           * If there are any active access keys listed, click on the "Delete" button next to each key to remove them.
           * Confirm the deletion when prompted to ensure that the root account no longer has any access keys.

        By following these steps, you can ensure that the root account does not have any access keys, thereby enhancing the security of your AWS environment.
      </Accordion>

      <Accordion title="Using CLI">
        To prevent the root account from having access keys in AWS IAM using the AWS CLI, you can follow these steps:

        1. **Check for Existing Access Keys:**
           First, you need to check if there are any access keys associated with the root account. This can be done by listing the access keys for the root user.
           ```sh theme={null}
           aws iam list-access-keys --user-name root
           ```

        2. **Delete Existing Access Keys:**
           If there are any access keys associated with the root account, you should delete them. Replace `ACCESS_KEY_ID` with the actual access key ID you want to delete.
           ```sh theme={null}
           aws iam delete-access-key --user-name root --access-key-id ACCESS_KEY_ID
           ```

        3. **Create an IAM User for Administrative Tasks:**
           Instead of using the root account, create an IAM user with administrative privileges. This user will be used for tasks that require elevated permissions.
           ```sh theme={null}
           aws iam create-user --user-name AdminUser
           aws iam attach-user-policy --user-name AdminUser --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
           ```

        4. **Enable MFA for Root Account:**
           To further secure the root account, enable Multi-Factor Authentication (MFA). This step doesn't directly involve the CLI but is a best practice to ensure the root account is secure.
           ```sh theme={null}
           aws iam enable-mfa-device --user-name root --serial-number arn:aws:iam::123456789012:mfa/root-account-mfa-device --authentication-code1 123456 --authentication-code2 789012
           ```

        By following these steps, you can ensure that the root account does not have access keys, and you can use an IAM user with administrative privileges for necessary tasks.
      </Accordion>

      <Accordion title="Using Python">
        To prevent the root account from having access keys in IAM using Python scripts, you can use the AWS SDK for Python (Boto3). Here are the steps to achieve this:

        1. **Install Boto3**:
           Ensure you have Boto3 installed in your Python environment. You can install it using pip if you haven't already:
           ```bash theme={null}
           pip install boto3
           ```

        2. **Create a Boto3 Session**:
           Initialize a Boto3 session with the necessary credentials and region information.
           ```python theme={null}
           import boto3

           session = boto3.Session(
               aws_access_key_id='YOUR_ACCESS_KEY',
               aws_secret_access_key='YOUR_SECRET_KEY',
               region_name='YOUR_REGION'
           )
           ```

        3. **Check for Root Access Keys**:
           Use the IAM client to list access keys for the root account and ensure no access keys exist.
           ```python theme={null}
           iam_client = session.client('iam')

           # List access keys for the root account
           response = iam_client.list_access_keys(UserName='root')

           # Check if any access keys exist
           if response['AccessKeyMetadata']:
               print("Root account has access keys. Please remove them.")
           else:
               print("Root account does not have any access keys.")
           ```

        4. **Automate the Check and Preventive Action**:
           You can automate this check to run periodically and alert or take action if access keys are found.
           ```python theme={null}
           import boto3
           from botocore.exceptions import NoCredentialsError, PartialCredentialsError

           def check_root_access_keys():
               try:
                   session = boto3.Session(
                       aws_access_key_id='YOUR_ACCESS_KEY',
                       aws_secret_access_key='YOUR_SECRET_KEY',
                       region_name='YOUR_REGION'
                   )
                   iam_client = session.client('iam')

                   # List access keys for the root account
                   response = iam_client.list_access_keys(UserName='root')

                   # Check if any access keys exist
                   if response['AccessKeyMetadata']:
                       print("Root account has access keys. Please remove them.")
                       # Optionally, you can add code here to delete the keys automatically
                       # for key in response['AccessKeyMetadata']:
                       #     iam_client.delete_access_key(UserName='root', AccessKeyId=key['AccessKeyId'])
                   else:
                       print("Root account does not have any access keys.")
               except (NoCredentialsError, PartialCredentialsError) as e:
                   print(f"Error: {e}")

           # Run the check
           check_root_access_keys()
           ```

        This script will help you ensure that the root account does not have any access keys, thereby preventing potential security risks associated with root account access keys.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Sign in to the AWS Management Console as an IAM user or role.
        2. In the navigation pane, choose "Users".
        3. In the "User Name" list, choose the name of the intended user which will take you to the "Summary" page.
        4. In the "Security Credential" section, look for "Access Keys". If any access keys (Access Key ID and Secret Access Key) are listed, it means the root account has access keys.
      </Accordion>

      <Accordion title="Using CLI">
        1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Once you have AWS CLI installed and configured, you can proceed to the next steps.

        2. Open your terminal or command prompt and run the following command to list all the users in your AWS account:

           ```
           aws iam list-users
           ```

           This command will return a list of all the IAM users in your AWS account.

        3. For each user in the list, run the following command to list the access keys associated with that user:

           ```
           aws iam list-access-keys --user-name <username>
           ```

           Replace `<username>` with the name of the user. This command will return a list of all the access keys associated with the specified user.

        4. If the root account is listed in the output of the first command, and it has access keys associated with it (as shown in the output of the third command), then the root account has access keys, which is a misconfiguration. The root account should not have access keys associated with it, as this can pose a security risk.
      </Accordion>

      <Accordion title="Using Python">
        1. First, you need to install the AWS SDK for Python (Boto3) if you haven't done so already. You can install it using pip:

        ```python theme={null}
        pip install boto3
        ```

        2. Import the necessary modules and create a session using your AWS credentials:

        ```python theme={null}
        import boto3

        session = boto3.Session(
            aws_access_key_id='YOUR_ACCESS_KEY',
            aws_secret_access_key='YOUR_SECRET_KEY',
            aws_session_token='SESSION_TOKEN',
        )
        ```

        3. Now, you can use the IAM client to list all the access keys associated with your root account:

        ```python theme={null}
        iam = session.client('iam')

        response = iam.list_access_keys(UserName='root')

        access_keys = response['AccessKeyMetadata']
        ```

        4. Finally, you can check if any access keys are associated with your root account:

        ```python theme={null}
        if access_keys:
            print("Root account has access keys")
        else:
            print("Root account does not have access keys")
        ```

        This script will print "Root account has access keys" if there are any access keys associated with your root account, and "Root account does not have access keys" otherwise. This way, you can easily detect if your root account has access keys, which is a common misconfiguration in AWS.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. **Sign in to the AWS Management Console**.
        2. **Navigate to the IAM service**.
        3. **Select Users from the navigation pane**.
        4. **Identify the root user**:
           * Locate the user with the username "root".
        5. **Review Access Keys**:
           * Click on the root user.
           * Go to the Security credentials tab.
           * Review the list of access keys.
        6. **Deactivate or Delete Access Keys**:
           * Select the active access key(s) associated with the root user.
           * Choose Deactivate or Delete to make the access key(s) inactive or delete them.
        7. **Repeat for other root users**:
           * If you have multiple root users, repeat the above steps for each of them.

        #
      </Accordion>

      <Accordion title="Using CLI">
        1. **List Access Keys**:

        ```bash theme={null}
        aws iam list-access-keys --user-name root
        ```

        2. **Identify Active Access Keys**:
           * Look for active access keys associated with the root user.
        3. **Deactivate or Delete Access Keys**:

        ```bash theme={null}
        aws iam update-access-key --access-key-id ACCESS_KEY_ID --status Inactive --user-name root
        ```

        Replace `ACCESS_KEY_ID` with the ID of the access key to deactivate.
        4\. **Repeat for other active access keys**:

        * If there are multiple active access keys associated with the root user, repeat the deactivation command for each of them.
      </Accordion>

      <Accordion title="Using Python">
        Here's a Python script to identify and deactivate active access keys associated with the root user:

        ```python theme={null}
        import boto3

        class RootAccessKeyChecker:
            def __init__(self):
                self.iam_client = boto3.client('iam')

            def get_active_access_keys(self):
                failures = []
                response = self.iam_client.list_access_keys(UserName='root')
                for key in response['AccessKeyMetadata']:
                    if key['Status'] == 'Active':
                        failures.append(key)
                return failures

            def deactivate_access_key(self, access_key_id):
                self.iam_client.update_access_key(
                    UserName='root',
                    AccessKeyId=access_key_id,
                    Status='Inactive'
                )
                print(f"Access key {access_key_id} has been deactivated.")

        # Instantiate the class
        checker = RootAccessKeyChecker()

        # Get active access keys for root user
        active_access_keys = checker.get_active_access_keys()

        # Deactivate active access keys
        for key in active_access_keys:
            checker.deactivate_access_key(key['AccessKeyId'])
        ```

        This Python script identifies active access keys associated with the root user and deactivates them.

        Make sure to have appropriate IAM permissions for managing access keys if you're using AWS CLI or Python script.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
