How to Find AWS IAM Root Account Access Key exists
The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role based accounts that are least privileged.
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity critical.
This guide assumes that you have already installed and configured Resoto to collect your AWS cloud resources.
Execute the following
searchcommand in Resoto Shell or Resoto UI:
> search is(aws_root_user) with(any, --> is(access_key))
kind=aws_root_user, ..., region=resoto-poweruser
kind=aws_root_user, ..., account=poweruser-team
searchcommand into the
> search is(aws_root_user) with(any, --> is(access_key)) | dump
The command output will list the details of all non-compliant
Fix detected issues by following the remediation steps:
- Create a credential report.
- Find all access_key_1_active and access_key_2_active fields that are set to True.
- Delete the related access keys.
Please refer to the AWS IAM documentation for details.