Ensure that the AWS root account credentials have not been used within the past 30 days (default threshold) to access your Amazon Web Services account in order to keep the root account usage minimised. Cloud Conformity strongly recommends locking down the root account usage and stop using the root credentials for your everyday tasks, or even the administrative ones. This conformity rule validates the usage of the root account credentials within the time frame set to enforce best practices for AWS user access inside your organization.
This rule can help you with the following compliance standards:
- The Center of Internet Security AWS Foundations Benchmark
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Locking down (restricting) your root account usage is crucial for keeping your AWS account safe because anyone who has your root credentials has unrestricted access to all the resources and services within your AWS environment, including billing information and the ability to change the root password. To avoid root account usage, we recommend implementing the principle of least privilege by creating AWS IAM users with minimal set of actions required to perform just the desired task(s).
Note: You can change the default threshold value for this rule (i.e. 30 days) on the Cloud Conformity console and set your own value for the period of time necessary for the rule validation.
Audit
To determine if your AWS root account credentials have been used within the past 30 days (default), perform the following:
Remediation / Resolution
To restrict AWS root account usage implement the principle of least privilege by creating IAM users with minimal set of permissions necessary to access and manage just the required AWS resources and services. To create MFA-enabled AWS IAM users necessary for everyday access, perform the following:
Note: As example, a new IAM user with full EC2 administrative privileges will be created to eliminate the need for using the root account to access and manage your EC2 resources. On the same note, it is recommended to create individual IAM users for different AWS resources and services, and different roles within your organization.References
- AWS Documentation
- AWS IAM FAQs
- IAM Best Practices
- AWS Security Audit Guidelines
- Creating an IAM User in Your AWS Account
- Multi-Factor Authentication
- IAM Best Practices
- Using Multi-Factor Authentication (MFA) in AWS
- AWS Command Line Interface (CLI) Documentation
- iam
- get-credential-report
- create-user
- attach-user-policy
- create-login-profile
- list-mfa-devices
- create-virtual-mfa-device
- enable-mfa-device
- AWS Blog(s):
- Adhere to IAM Best Practices in 2016
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Root Account Usage
Risk level: High