Open menu
-->

AWS Root Account Access Keys

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 27 April 2018
Security

Risk level: High (not acceptable risk)

To secure your AWS environment and adhere to IAM best practices ensure that the AWS account (root user) is not using access keys to perform API requests to access resources or billing information. Cloud Conformity strongly recommends removing any existing root key pairs and use individual IAM users for accessing resources within your AWS account.

This rule resolution is part of the Cloud Conformity Security Package

Anyone who has your root access keys can gain unrestricted access to all the services within your AWS environment, including billing information. Removing these credentials from your root account will significantly reduce the risk of unauthorized access to your AWS resources.

Audit

To determine if your AWS root account has any access keys in use, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Click on the AWS account name or number in the upper-right corner of the management console and select Security Credentials from the dropdown menu:

Security Credentials from the dropdown menu

03 On Your Security Credentials page, click on the Access Keys (Access Key ID and Secret Access Key) accordion tab to expand the root access keys management section.

04 In the access keys table, under Status column, check for any keys with the status set to Active. If the table displays one or more active keys:

check for any keys with the status set to Active

your AWS root account is not following the IAM security best practices regarding the protection against unauthorized access.

05 Repeat steps no. 1 – 5 for each AWS root account that you want to examine.

Using AWS CLI

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS account. A credential report is a document that lists all the AWS users (root and IAM users) and the current status of their credentials:

aws iam get-credential-report

02 The command output should return the document in a TEXT/CSV format, encoded with the Base64 encoding scheme:

{
    "Content": "dXNlcixhcm4sdXNlcl9jcmVd ... bHNlLE4vQSxmYWxzZSxOL0E=",
    "GeneratedTime": "2016-05-18T10:15:02Z",
    "ReportFormat": "text/csv"
}

03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named credentials-report.csv:

echo -n dXNlcixhcm4sdXNlcl9jcmVd ... bHNlLE4vQSxmYWxzZSxOL0E= | base64 –d 
>> credentials-report.csv

04 Open credentials-report.csv in your preferred CSV file editor and check the values in the access_key_1_active and access_key_2_active columns for the AWS root account. If the values set for access_key_1_active and/or access_key_2_active parameters are TRUE e.g.

values set for  and/or access_key_2_active parameters are TRUE

your AWS root account has at least one access key active. Using access keys for your root account increases the risk of unauthorized access. Follow the Remediation/ Resolution section steps to remove these credentials from your account.

05 Repeat steps no. 1 – 4 for each AWS root account that you want to examine.

Remediation / Resolution

To remove any active access keys created for your AWS root account, perform the following:

Note: Deleting AWS root access keys via Command Line Interface (CLI) is not currently supported.

Using AWS CLI

01 Sign in to the AWS Management Console.

02 Click on the AWS account name or number in the upper-right corner of the management console and select Security Credentials from the dropdown menu:

Security Credentials from the dropdown menu

03 On Your Security Credentials page, click on the Access Keys (Access Key ID and Secret Access Key) accordion tab to expand the access keys management section.

04 In the root access keys table Status column, check for any keys with the status set to Active and remove them by clicking the Delete link available in the Actions column:

check for any keys with the status set to Active and remove them by clicking the Delete link available in the Actions column

05 Inside Delete Access Key dialog box click Yes to confirm your action. The access key status should change now from Active to Deleted.

06 Repeat steps no. 1 – 5 for each AWS root account that you want to secure by removing the access keys.

References

Publication date May 24, 2016