Root Account Usage

Risk level: High (not acceptable risk)

Rule ID: IAM-035

Ensure that the AWS root account credentials have not been used within the past 30 days (default threshold) to access your Amazon Web Services account in order to keep the root account usage minimised. Cloud Conformity strongly recommends locking down the root account usage and stop using the root credentials for your everyday tasks, or even the administrative ones. This conformity rule validates the usage of the root account credentials within the time frame set to enforce best practices for AWS user access inside your organization.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Locking down (restricting) your root account usage is crucial for keeping your AWS account safe because anyone who has your root credentials has unrestricted access to all the resources and services within your AWS environment, including billing information and the ability to change the root password. To avoid root account usage, we recommend implementing the principle of least privilege by creating AWS IAM users with minimal set of actions required to perform just the desired task(s).

Note: You can change the default threshold value for this rule (i.e. 30 days) on the Cloud Conformity console and set your own value for the period of time necessary for the rule validation.

Audit

To determine if your AWS root account credentials have been used within the past 30 days (default), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Credential report.

04 Click Download Report button to download the AWS report that lists all your account's users and the status of their various credentials.

05 Open the downloaded credentials report (CSV file) downloaded at the previous step in your favorite spreadsheet/CSV editor and check the timestamp value (e.g. 2017-06-16T06:27:14+00:00), available in the password_last_used column for the <root_account> user. If the selected timestamp value (i.e. the time at which the root credentials have been last used) represents a date recorded within the past 30 days, the verified credentials have been used recently to access your AWS root account, therefore the root account access policy currently used is not following the AWS security best practices.

06 Repeat steps no. 1 – 5 for each Amazon Web Services root account that you want to examine.

Using AWS CLI

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS account. A credential report is a document that lists all the AWS users (root and IAM users) and the current status of their credentials:

aws iam get-credential-report

02 The command output should return the document in a TEXT/CSV format, encoded with the Base64 encoding scheme:

{
    "Content": "CDuXcixh4sdXNlcl9cmV2PlYs ... D5YEmYWxzZ0sZmFsc2UsCAb0",
    "GeneratedTime": "2017-06-21T16:43:08Z",
    "ReportFormat": "text/csv"
}

03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the credential report data is decoded and saved to a file named iam-credentials-report.csv:

echo -n CDuXcixh4sdXNlcl9cmV2PlYs ... D5YEmYWxzZ0sZmFsc2UsCAb0 | base64 –d >> iam-credentials-report.csv

04 Open iam-credentials-report.csv file in your favorite CSV file editor and check the timestamp value (e.g. 2017-06-16T06:27:14+00:00), available in the password_last_used column for the <root_account> user. If the timestamp value verified describes a time/date recorded within the past 30 days, the selected credentials have been used recently to access your AWS root account, therefore your root account access is not locked down.

05 Repeat steps no. 1 – 4 for each AWS root account that you want to examine via Command Line Interface (CLI).

Remediation / Resolution

To restrict AWS root account usage implement the principle of least privilege by creating IAM users with minimal set of permissions necessary to access and manage just the required AWS resources and services. To create MFA-enabled AWS IAM users necessary for everyday access, perform the following:

Note: As example, a new IAM user with full EC2 administrative privileges will be created to eliminate the need for using the root account to access and manage your EC2 resources. On the same note, it is recommended to create individual IAM users for different AWS resources and services, and different roles within your organization.

Using AWS Console

01 Sign in to the AWS Management Console with your root account credentials.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 On the Users page, click Add User button set up the new IAM user.

05 On the Add User page, under Set user details, enter the name for your new user in the User name box. If necessary, click Add another user to create multiple IAM users at once. Under Select AWS access type, check AWS Management Console access option and choose whether to use an auto-generated password or your own custom password from the Console password section. To require a password reset at the next sign-in, select Require password reset.

06 Click the Next: Permissions button to continue the process with the access permissions setup.

07 On the Set permissions for <IAM_USER_NAME> page, choose Attach existing policies directly option and select the AmazonEC2FullAccess managed policy (assuming that full access to EC2 instances is needed) from the bottom panel. The selected access policy provides full access to Amazon EC2 resources via the AWS Management Console.

08 Click the Next: Review to continue with the IAM user setup review.

09 On the Review page, verify the IAM user configuration details and once you’re done click Create user button to create your new AWS IAM user.

10 Click Download .csv to save the file with your user password to a secure location on your machine. Once the file is downloaded, click the Close link to return to the IAM Users page.

11 To enable Multi-Factor Authentication (MFA) for the newly created user click on the IAM user name to access its configuration settings.

12 On the Summary page, select the Security credentials tab and click the edit button next to Assigned MFA device setting.

13 In the Manage MFA Device dialog box, select A virtual MFA device and click Next Step.

14 Now install the AWS MFA-compatible application. The MFA application used for this conformity rule is Google Authenticator. This guide assumes that you have already the application installed on your smartphone at this point, otherwise just follow these simple steps: https://support.google.com/accounts/answer/1066447?hl=en. Once the application is installed, click Next Step.

15 Scan the QR code using the Google Authenticator application and enter two consecutive authentication codes in the Authentication Code 1 and Authentication Code 2 boxes, then click Activate Virtual MFA to complete the setup process. If successful, the following message will be displayed: “The MFA device was successfully associated.”. Click Finish to exit the setup wizard.

16 To test the new MFA-enabled IAM user go back to the navigation panel, choose Dashboard and copy the sign-in link available under IAM users sign-in link section to your clipboard.

17 Sign out from your AWS root account, paste the sign-in link copied at the previous step into your browser address bar and check your new IAM user credentials (user name, password and MFA passcode).

Using AWS CLI

01 Run create-user command (OSX/Linux/UNIX) to create a new AWS IAM user. The following command example creates an IAM user named "aws-ec2-manager":

aws iam create-user
	--user-name aws-ec2-manager

02 If successful, the command output should return the new IAM user metadata (username, ID, ARN, etc):

{
    "User": {
        "UserName": "aws-ec2-manager",
        "Path": "/",
        "CreateDate": "2017-06-22T14:41:51.683Z",
        "UserId": "CYANIRKUJ6WBUJFI6DXYU",
        "Arn": "arn:aws:iam::123456789012:user/aws-ec2-manager"
    }
}

03 Run attach-user-policy command (OSX/Linux/UNIX) to attach the required managed policy (in this case the AmazonEC2FullAccess policy), identified by its ARN, to the newly created IAM user (if successful, the command does not produce an output):

aws iam attach-user-policy
	--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
	--user-name aws-ec2-manager

04 Run create-login-profile command (OSX/Linux/UNIX) to assign a password for the IAM user (replace <your_password> placeholder with your own custom password):

aws iam create-login-profile
	--user-name aws-ec2-manager
	--password <your_password>
	--no-password-reset-required

05 The command output should return the new AWS IAM user login profile metadata:

{
    "LoginProfile": {
        "UserName": "aws-ec2-manager",
        "CreateDate": "2017-06-22T14:41:51.683Z",
        "PasswordResetRequired": false
    }
}

06 To enable Multi-Factor Authentication (MFA) for the newly created IAM user, run create-virtual-mfa-device command (OSX/Linux/UNIX) to create a new virtual MFA device within your AWS account:

aws iam create-virtual-mfa-device
	--virtual-mfa-device-name EC2ManagerMFADevice
	--outfile /root/QRCode.png
	--bootstrap-method QRCodePNG

07 The command output should return the new virtual MFA device Amazon Resource Name (ARN):

{
    "VirtualMFADevice": {
      "SerialNumber": "arn:aws:iam::123456789012:mfa/EC2ManagerMFADevice"
    }
}

08 Run enable-mfa-device command (OSX/Linux/UNIX) to activate the specified MFA virtual device (in this case Google Authenticator) and associate it with the new IAM user. The highlighted values represent two consecutive MFA device passcodes (the command does not produce an output):

aws iam enable-mfa-device
	--user-name John
	--serial-number arn:aws:iam::123456789012:mfa/EC2ManagerMFADevice
	--authentication-code-1 356689
	--authentication-code-2 672030

09 Finally, run list-mfa-devices command (OSX/Linux/UNIX) to determine if the new MFA device has been successfully installed for the selected IAM user:

aws iam list-mfa-devices
	--user-name aws-ec2-manager

10 If successful, the command output should return the MFA device metadata (ARN, instantiation date, etc ):

{
   "MFADevices": [
     {
      "UserName": "aws-ec2-manager",
      "SerialNumber":"arn:aws:iam::123456789012:mfa/EC2ManagerMFADevice",
      "EnableDate": "2017-06-29T18:51:54Z"
     }
   ]
}

11 Repeat steps no. 1 – 10 to create additional MFA-enabled IAM users using AWS Command Line Interface (CLI).

References

AWS Command Line Interface (CLI) Documentation
iam
get-credential-report
create-user
attach-user-policy
create-login-profile
list-mfa-devices
create-virtual-mfa-device
enable-mfa-device

AWS Blog(s):
Adhere to IAM Best Practices in 2016

Publication date Jul 1, 2017

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Root Account Usage

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related IAM rules