How to Find AWS Account Root Users with Access Keys
The root user is the most privileged user in an AWS account. AWS access Keys provide programmatic access to a given AWS account.
It is recommended that all access keys associated with the root user be removed.
Removing access keys associated with the root user limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role based accounts that are least privileged.
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity critical.
Prerequisites​
This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.
Directions​
-
Execute the following
searchcommand in Fix Inventory Shell:> search is(aws_root_user) with(any, --> is(access_key))
​kind=aws_root_user, ..., region=fixinventory-poweruser
​kind=aws_root_user, ..., account=poweruser-team -
Pipe the
searchcommand into thedumpcommand:> search is(aws_root_user) with(any, --> is(access_key)) | dump
​reported:
​ id: /aws/iam/123
​ name: some-name
​ ctime: '2022-12-05T22:53:14Z'
​ kind: aws_root_user
​ age: 2mo28dThe command output will list the details of all non-compliant
aws_root_userresources.
Remediation​
- Create a credential report.
- Find all access_key_1_active and access_key_2_active fields that are set to True.
- Delete the related access keys.
Please refer to the AWS IAM documentation for details.