Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Root Account Access Keys Present

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)
Rule ID: IAM-015

To secure your AWS environment and adhere to IAM best practices ensure that the AWS root account user is not using access keys to perform API requests to access cloud resources or billing information. Trend Cloud One™ – Conformity strongly recommends removing any existing root key pairs and instead use individual IAM users for accessing resources within your AWS cloud account.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • HIPAA
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Anyone who has your root access keys can have unrestricted access to all the AWS services within your AWS account, including billing information. Removing these credentials from your root account user will significantly reduce the risk of unauthorized access to your cloud resources.


Audit

To determine if your AWS root account user has any access keys in use, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console using the root account credentials.

02 Click on the AWS account name/number available in the upper-right corner of the Management Console and select My Security Credentials from the dropdown menu.

03 On Your Security Credentials page, click on the Access keys (Access key ID and secret access key) tab to expand the configuration panel with the root access keys.

04 Check the value available in the Status column for each root access key pair to determine the key pair status. If the Management Console displays one or more active access keys, your AWS root account is configured with active access keys, therefore your root access configuration does not follow the IAM security best practices regarding protection against unauthorized access.

05 Repeat steps no. 1 – 4 for each AWS root account that you want to examine.

Using AWS CLI

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS cloud account. A credential report is a CSV document that lists all the AWS users (root and IAM users) created within your AWS cloud account and the current status of their access credentials:

aws iam get-credential-report

02 The command output should return the requested document in a TEXT/CSV format, encoded with the Base64 encoding scheme, as shown in the example below:

{
  "Content": "abcdabcdabcdabcdabcdabcdabcdabc",
  "ReportFormat": "text/csv",
  "GeneratedTime": "2021-04-16T15:00:00+00:00"
}

03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named cc-iam-credentials-report.csv:

echo -n abcdabcdabcdabcdabcdabcdabcdabc | base64 –d >> cc-iam-credentials-report.csv

04 Open cc-iam-credentials-report.csv in a text editor and check the value available in the access_key_1_active and access_key_2_active columns for the<root_account> user. If the value set for the access_key_1_active and/or access_key_2_active attributes is TRUE, your AWS root account has at least one active access key pair. Therefore, using active access keys for your AWS root account increases the risk of unauthorized access.

05 Repeat steps no. 1 – 4 for each AWS root account that you want to examine.

Remediation / Resolution

To remove any active access keys created for your AWS root account, perform the following operations:

Note: Deleting AWS root access keys via AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console using the root account credentials.

02 Click on the AWS account name/number available in the upper-right corner of the Management Console and select My Security Credentials from the dropdown menu.

03 On Your Security Credentials page, click on the Access keys (Access key ID and secret access key) tab to expand the configuration panel with the root access keys.

04 Remove the active access key created for your AWS root account by clicking the Delete link available in the Actions column.

05 Inside the Delete <access-key-id>? confirmation box, choose Deactivate to decommission the root key, enter the access key ID in the required input field, then choose Delete to remove the access key for the AWS root account.

06 If your AWS root account has two access keys activated, repeat steps no. 4 and 5 to remove them both.

07 Repeat steps no. 1 – 6 for each AWS root account that you want to secure by removing the root access keys.

References

Publication date May 24, 2016