How to Find AWS Account Root Users with Access Keys
The root user is the most privileged user in an AWS account. AWS access Keys provide programmatic access to a given AWS account.
It is recommended that all access keys associated with the root user be removed.
Removing access keys associated with the root user limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role based accounts that are least privileged.
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity critical.
> search is(aws_root_user) with(any, --> is(access_key))
kind=aws_root_user, ..., region=resoto-poweruser
kind=aws_root_user, ..., account=poweruser-team
searchcommand into the
> search is(aws_root_user) with(any, --> is(access_key)) | dump
The command output will list the details of all non-compliant
- Create a credential report.
- Find all access_key_1_active and access_key_2_active fields that are set to True.
- Delete the related access keys.
Please refer to the AWS IAM documentation for details.