To secure your AWS environment and adhere to IAM best practices ensure that the AWS root account user is not using access keys to perform API requests to access cloud resources or billing information. Trend Cloud One™ – Conformity strongly recommends removing any existing root key pairs and instead use individual IAM users for accessing resources within your AWS cloud account.
This rule can help you with the following compliance standards:
- CISAWSF
- PCI
- HIPAA
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Anyone who has your root access keys can have unrestricted access to all the AWS services within your AWS account, including billing information. Removing these credentials from your root account user will significantly reduce the risk of unauthorized access to your cloud resources.
Audit
To determine if your AWS root account user has any access keys in use, perform the following operations:
Remediation / Resolution
To remove any active access keys created for your AWS root account, perform the following operations:
Note: Deleting AWS root access keys via AWS Command Line Interface (CLI) is not currently supported.References
- AWS Documentation
- AWS Identity and Access Management FAQs
- IAM Best Practices
- Best Practices for Managing AWS Access Keys
- Managing Access Keys for your AWS Account
- Getting Credential Reports for Your AWS Account
- AWS Command Line Interface (CLI) Documentation
- iam
- get-credential-report