Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Root Account Credentials Usage

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-035

Ensure that your AWS root account credentials have not been used within the past 7 days (default threshold) to access your AWS cloud account in order to keep the root account usage minimized. Trend Cloud One™ – Conformity strongly recommends locking down the use of the AWS root account, and to stop using the root credentials for your everyday tasks. This conformity rule validates the usage of the root account credentials within the time frame set to enforce best practices for AWS user access inside your organization.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • HIPAA
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Locking down your root account usage is crucial for keeping your AWS cloud account safe because anyone who has your root credentials has unrestricted access to all the cloud resources within your AWS account, including billing information and the ability to change the root password. To avoid root account usage, we recommend implementing the Principle of Least Privilege (POLP) by creating IAM users with the minimal set of actions required to perform just the desired, authorized tasks.

Note: You can change the default threshold value for this rule (i.e. 7 days) on the Conformity account console and set your own value for the period of time necessary for the rule validation.


Audit

To determine if your AWS root account credentials have been used in the past 7 days (default threshold), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access reports, select Credential report.

04 Choose Download Report to download the report that lists all your Amazon IAM users and the status of their credentials.

05 Open the downloaded file in your preferred CSV file editor and check the date/time value (timestamp) available in the password_last_used column for the <root_account> user to determine when the root account credentials have been last used. If the password_last_used timestamp shows a date recorded in the past 7 days, the root credentials have been used recently to access your AWS cloud account, therefore the root account access policy is not compliant (does not follow IAM security best practices).

06 Repeat steps no. 1 – 5 for each AWS cloud account that you want to examine.

Using AWS CLI

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS cloud account. A credential report is a CSV document that lists all the AWS users (root and IAM users) created within your AWS cloud account and the current status of their access credentials:

aws iam get-credential-report

02 The command output should return the requested document in a TEXT/CSV format, encoded with the Base64 encoding scheme, as shown in the example below:

{
	"Content": "abcdabcdabcdabcdabcdabcdabcdabc",
	"ReportFormat": "text/csv",
	"GeneratedTime": "2021-04-16T15:00:00+00:00"
}

03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named cc-iam-credentials-report.csv:

echo -n abcdabcdabcdabcdabcdabcdabcdabc | base64 –d >> cc-iam-credentials-report.csv

04 Open the cc-iam-credentials-report.csv file in your preferred CSV file editor and check the date/time value (timestamp) available in the password_last_used column for the <root_account> user to determine when the root account credentials have been last used. If the password_last_used timestamp shows a date recorded in the past 7 days, the root credentials have been recently used to access your AWS cloud account, therefore the root account access policy is not compliant.

05 Repeat steps no. 1 – 4 for each AWS cloud account that you want to examine.

Remediation / Resolution

To restrict the AWS root account usage and create an MFA-enabled IAM user necessary for everyday access, perform the following actions:

Note: As an example, a new IAM user with administrative privileges will be created to eliminate the need for using the root account user. However, it is recommended to create individual IAM users for all the different roles within your organization such as administrators, developers, security and compliance managers, etc.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"IAMUser": {
			"Type": "AWS::IAM::User",
			"Properties": {
				"UserName": "cc-ec2-instance-manager",
				"Path": "/",
				"LoginProfile": {
					"Password": "password",
					"PasswordResetRequired": true
				}
			}
		},
		"IAMUserPolicy": {
			"Type": "AWS::IAM::Policy",
			"Properties": {
				"PolicyName": "ec2-instance-access-policy",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Action": "ec2:*",
							"Effect": "Allow",
							"Resource": "*"
						}
					]
				},
				"Users": [
					{
						"Ref": "IAMUser"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	IAMUser:
		Type: AWS::IAM::User
		Properties:
		UserName: cc-ec2-instance-manager
		Path: /
		LoginProfile:
			Password: password
			PasswordResetRequired: true
	IAMUserPolicy:
		Type: AWS::IAM::Policy
		Properties:
		PolicyName: ec2-instance-access-policy
		PolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Action: ec2:*
				Effect: Allow
				Resource: '*'
		Users:
			- !Ref 'IAMUser'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_user" "iam-user" {
	name                 = "cc-ec2-instance-manager"
	path                 =  "/"
}

resource "aws_iam_user_login_profile" "user-login-profile" {
	user                    = aws_iam_user.iam-user.name
	password                = [password]
	password_reset_required = true
}

resource "aws_iam_policy" "iam-policy" {
	name   = "ec2-instance-access-policy"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Action": "ec2:*",
				"Effect": "Allow",
				"Resource": "*"
			}
		]
	}
	EOF
}

resource "aws_iam_policy_attachment" "iam-user-attachment" {
	name       = "iam-user-attachment"
	users      = [aws_iam_user.iam-user.name]
	policy_arn = aws_iam_policy.iam-policy.arn
}

Using AWS Console

01 Sign in to the AWS Management Console using the root account credentials.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the Add user button from the console top menu to initiate the IAM user setup.

05 On the Add usersetup page, perform the following actions:

  1. Provide a unique name for your new IAM user in the User name box. Choose Add another user if you want to create multiple IAM users at once.
  2. For Access type, choose AWS Management Console access to enable the password-based access for the new IAM user. This will allow the user to sign-in to the AWS Management Console.
  3. For Console password, choose whether you want to use a custom password or an autogenerated one.
  4. (Optional) Select the Require password reset to require creating a new password at the next sign-in.
  5. Select the Permissions tab and click the Attach Policy button to define the user access permissions.
  6. Choose Next: Permissions to configure the IAM user permissions.
  7. For Set permissions, choose Attach existing policies directly to attach a managed policy to the new IAM user, or select Add user to group to add the new user to an existing group (if available). For example, attach an AWS-managed policy named AdministratorAccess to provide the user full access to AWS services and resources.
  8. For Set permissions boundary, choose whether to set a permissions boundary to control the maximum permissions that the new IAM user can have.
  9. Choose Next: Tags to configure the IAM user tags.
  10. Use the Key and Value (optional) text fields to create tags for your new user. Amazon IAM tags are key-value pairs that you can add to your user. Tags can include user information, such as an email address, or can be descriptive, such as a job title. You can use the tags to organize, track, or control access for the new IAM user.
  11. Select Next: Review to review the user configuration details, then choose Create user to create your new Amazon IAM user.
  12. Select Download .csv to download your new IAM user credentials.
  13. Choose Close to return to the Amazon IAM console.

06 To enable Multi-Factor Authentication (MFA) for the newly created IAM user, follow the steps outlined in this conformity rule.

07 In the navigation panel, choose Dashboard and copy the sign-in link listed under Sign-in URL for IAM users in this account to your clipboard.

08 Sign out from your AWS root account, paste the sign-in link copied at the previous step into your browser address bar, and sign in to the AWS Management Console with your new IAM user credentials (user name, password, and MFA passcode).

Using AWS CLI

01 Run create-user command (OSX/Linux/UNIX) to create a new Amazon IAM user necessary for everyday access to your AWS cloud account:

aws iam create-user
  --user-name cc-cloud-admin-user

02 The command output should return the metadata available for the new IAM user:

{
	"User": {
		"Path": "/",
		"UserName": "cc-cloud-admin-user",
		"UserId": "ABCDABCDABCDABCDABCDA",
		"Arn": "arn:aws:iam::123456789012:user/cc-cloud-admin-user",
		"CreateDate": "2021-04-22T15:00:00+00:00"
	}
}

03 To define and attach identity-based policies to your new IAM user based on the policy type that you want to use, perform one of the following sets of commands:

  1. To attach managed IAM policies:
    • Run attach-user-policy command (OSX/Linux/UNIX) to attach the specified managed IAM policy to the specified IAM user. For example, attach an AWS-managed IAM policy identified by the ARN arn:aws:iam::aws:policy/AdministratorAccess if you want to provide full access to AWS services and resources via the AWS Management Console (the command does not produce an output):
      aws iam attach-user-policy
        --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
        --user-name cc-cloud-admin-user
      
  2. To define and attach inline IAM policies:
    • For example, to define an inline policy that allows access to your AWS services and resources, paste the following policy document to a JSON file named cc-iam-user-inline-policy.json:
      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Effect": "Allow",
      			"Action": "*",
      			"Resource": "*"
      		}
      	]
      }
      
    • Run put-user-policy command (OSX/Linux/UNIX) to attach the inline policy defined at the previous step to the specified IAM user (if successful, the command does not produce an output):
      aws iam put-user-policy
        --user-name cc-cloud-admin-user
        --policy-name cc-cloud-full-access
        --policy-document file://cc-iam-user-inline-policy.json
      

04 Run create-login-profilecommand (OSX/Linux/UNIX) to assign a password for your new Amazon IAM user. Replace <iam-user-password> with your own password:

aws iam create-login-profile
  --user-name cc-cloud-admin-user
  --password <iam-user-password>
  --no-password-reset-required

05 The command output should return the Amazon IAM user login profile metadata:

{
	"LoginProfile": {
		"UserName": "cc-cloud-admin-user",
		"CreateDate": "2021-04-22T17:00:00+00:00",
		"PasswordResetRequired": false
	}
}

06 To enable Multi-Factor Authentication (MFA) for the newly created IAM user, follow the steps outlined in this conformity rule.

References

Publication date Jul 1, 2017