Ensure that your AWS root account credentials have not been used within the past 7 days (default threshold) to access your AWS cloud account in order to keep the root account usage minimized. Trend Cloud One™ – Conformity strongly recommends locking down the use of the AWS root account, and to stop using the root credentials for your everyday tasks. This conformity rule validates the usage of the root account credentials within the time frame set to enforce best practices for AWS user access inside your organization.
This rule can help you with the following compliance standards:
- CISAWSF
- PCI
- HIPAA
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Locking down your root account usage is crucial for keeping your AWS cloud account safe because anyone who has your root credentials has unrestricted access to all the cloud resources within your AWS account, including billing information and the ability to change the root password. To avoid root account usage, we recommend implementing the Principle of Least Privilege (POLP) by creating IAM users with the minimal set of actions required to perform just the desired, authorized tasks.
Note: You can change the default threshold value for this rule (i.e. 7 days) on the Conformity account console and set your own value for the period of time necessary for the rule validation.
Audit
To determine if your AWS root account credentials have been used in the past 7 days (default threshold), perform the following actions:
Remediation / Resolution
To restrict the AWS root account usage and create an MFA-enabled IAM user necessary for everyday access, perform the following actions:
Note: As an example, a new IAM user with administrative privileges will be created to eliminate the need for using the root account user. However, it is recommended to create individual IAM users for all the different roles within your organization such as administrators, developers, security and compliance managers, etc.References
- AWS Documentation
- AWS IAM FAQs
- Multi-Factor Authentication
- IAM Best Practices
- AWS Security Audit Guidelines
- Creating an IAM User in Your AWS Account
- Using Multi-Factor Authentication (MFA) in AWS
- AWS Blog
- Adhere to IAM Best Practices in 2016
- AWS Command Line Interface (CLI) Documentation
- iam
- get-credential-report
- create-user
- attach-user-policy
- put-user-policy
- create-login-profile