Skip to main content

More Info:

Ensure that your root user password is rotated every few days.

Risk Level

Critical

Address

Security

Compliance Standards

AWSWAF

Triage and Remediation

  • Prevention
  • Cause
  • Remediation

How to Prevent

Using Console

To prevent the misconfiguration where the root user should have password rotation in IAM using the AWS Management Console, follow these steps:
  1. Sign in to the AWS Management Console:
  2. Navigate to IAM Dashboard:
    • In the AWS Management Console, go to the Services menu.
    • Under Security, Identity, & Compliance, select IAM to open the IAM Dashboard.
  3. Access Account Settings:
    • In the IAM Dashboard, on the left-hand side, click on Account settings.
    • Here, you will see various security recommendations and settings for your AWS account.
  4. Enable Password Rotation Policy:
    • Look for the section related to Password Policy.
    • Ensure that the password policy enforces password rotation by setting a maximum password age. For example, set the password to expire every 90 days.
    • Save the changes to apply the new password policy.
  5. Password Rotation:
    • Along with Password Rotation Policy, rotate the password for the Root User as well.
    • Sign in using your root user credentials.
    • Go to “Security Credentials” from User Profile menu on Top Right section.
    • Click on “Update Console Password” in “AWS IAM Credentials” section.
    • Save the changes to apply the new password.
By following these steps, you can ensure that the root user password is rotated regularly, enhancing the security of your AWS environment.
To prevent the misconfiguration where the root user should have password rotation in IAM using AWS CLI, you can follow these steps:
  1. Create a Password Policy: Ensure that a password policy is in place that enforces password rotation. This policy can specify the maximum password age, requiring users to change their passwords periodically. 
    aws iam update-account-password-policy --max-password-age 90
  2. Enable MFA for Root user: Enabling Multi-Factor Authentication (MFA) for the root user adds an extra layer of security, making it harder for unauthorized users to access the account even if they have the password. 
    aws iam enable-mfa-device --user-name root --serial-number <MFA_DEVICE_SERIAL> --authentication-code-1 <MFA_CODE_1> --authentication-code-2 <MFA_CODE_2>
  3. Create IAM Users with Limited Permissions: Instead of using the root user for daily operations, create IAM users with the necessary permissions. This reduces the risk associated with the root user. 
    aws iam change-password --old-password <OLD_PASSWORD> --new-password <NEW_PASSWORD>
  4. Monitor Root user Usage: Regularly monitor the usage of the root user to ensure it is not being used for routine tasks. This can be done by setting up CloudTrail to log and review root user activities. 
    aws cloudtrail create-trail --name <TRAIL_NAME> --s3-bucket-name <S3_BUCKET_NAME>
aws cloudtrail start-logging --name <TRAIL_NAME>
By following these steps, you can ensure that the root user is secured and that password rotation policies are enforced, reducing the risk of misconfigurations.
To prevent the misconfiguration of not rotating the root user password in IAM using Python scripts, you can follow these steps:

1. Set Up AWS SDK (Boto3)

First, ensure you have the AWS SDK for Python (Boto3) installed. You can install it using pip if you haven’t already:
pip install boto3

2. Create a Python Script to Reset Password

Create a Python script that checks the age of the root user password. If the password is older than a specified threshold (e.g., 90 days), it will change the password.
import boto3
from datetime import datetime, timedelta

# Initialize a session using Amazon IAM
client = boto3.client('iam')

# Define the threshold for password age (e.g., 90 days)
threshold_days = 90

# Get login profile
response = client.get_login_profile()

# Get the last password change date
password_last_changed = response['LoginProfile']['CreateDate']

# Calculate the age of the password
password_age = datetime.now() - password_last_changed

# Check if the password age exceeds the threshold
if password_age > timedelta(days=threshold_days):
    print("Root user password needs to be rotated.")
else:
    print("Root user password is within the acceptable age limit.")
By following these steps, you can effectively monitor and ensure that the root user password is rotated regularly, thereby preventing the misconfiguration.

Additional Reading:

I