How to Find AWS Account Root Users with Access Keys

The root user is the most privileged user in an AWS account. AWS access Keys provide programmatic access to a given AWS account.

It is recommended that all access keys associated with the root user be removed.

Removing access keys associated with the root user limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role based accounts that are least privileged.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity critical.

Prerequisites

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions

1. Execute the following search command in Fix Inventory Shell:

   > search is(aws_root_user) with(any, --> is(access_key))
   ​kind=aws_root_user, ..., region=fixinventory-poweruser
   ​kind=aws_root_user, ..., account=poweruser-team

2. Pipe the search command into the dump command:

   > search is(aws_root_user) with(any, --> is(access_key)) | dump
   ​reported:
   ​  id: /aws/iam/123
   ​  name: some-name
   ​  ctime: '2022-12-05T22:53:14Z'
   ​  kind: aws_root_user
   ​  age: 2mo28d

   The command output will list the details of all non-compliant aws_root_user resources.

Remediation

• Create a credential report.
• Find all access_key_1_active and access_key_2_active fields that are set to True.
• Delete the related access keys.

note

Please refer to the AWS IAM documentation for details.

Further Reading

• Search
• Command-Line Interface
• aws_root_user Resource Data Model

External Links

• CIS Amazon Web Services Benchmarks
• AWS Documentation