More Info:

Root account has full permissions across the entire account. Root account should not have access keys. Also, it certainly shouldn’t access any service. Instead, create IAM users with predefined roles.

Risk Level

Critical

Address

Security

Compliance Standards

HIPAA, ISO27001, PCIDSS, GDPR, NIST, SOC2, CISAWS, CBP, HITRUST, AWSWAF, NISTCSF, FedRAMP

Triage and Remediation

How to Prevent

To prevent the root account from having access keys in AWS IAM using the AWS Management Console, follow these steps:

  1. Sign in to the AWS Management Console:

  2. Navigate to the IAM Dashboard:

    • In the AWS Management Console, click on the “Services” menu at the top of the page.
    • Under “Security, Identity, & Compliance,” select “IAM” to open the IAM Dashboard.
  3. Access the Root Account Security Settings:

    • In the IAM Dashboard, look for the “Security Status” section.
    • Click on the “Manage security credentials” link next to the “Root account” label. This will take you to the “Security Credentials” page for the root account.
  4. Check and Delete Access Keys:

    • On the “Security Credentials” page, scroll down to the “Access keys” section.
    • If there are any active access keys listed, click on the “Delete” button next to each key to remove them.
    • Confirm the deletion when prompted to ensure that the root account no longer has any access keys.

By following these steps, you can ensure that the root account does not have any access keys, thereby enhancing the security of your AWS environment.

Additional Reading: