Skip to main content

How to Find AWS IAM Root Account Access Key exists

Problem

The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role based accounts that are least privileged.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity critical.

Prerequisites

This guide assumes that you have already installed and configured Resoto to collect your AWS cloud resources.

Directions

  1. Execute the following search command in Resoto Shell or Resoto UI:

    > search is(aws_root_user) with(any, --> is(access_key))
    ​kind=aws_root_user, ..., region=resoto-poweruser
    ​kind=aws_root_user, ..., account=poweruser-team
  2. Pipe the search command into the dump command:

    > search is(aws_root_user) with(any, --> is(access_key)) | dump
    ​reported:
    ​ id: /aws/iam/123
    ​ name: some-name
    ​ ctime: '2022-12-05T22:53:14Z'
    ​ kind: aws_root_user
    ​ age: 2mo28d

    The command output will list the details of all non-compliant aws_root_user resources.

  3. Fix detected issues by following the remediation steps:

    • Create a credential report.
    • Find all access_key_1_active and access_key_2_active fields that are set to True.
    • Delete the related access keys.
    note

    Please refer to the AWS IAM documentation for details.

Further Reading