IAM Root User No Access Keys Rule
This rule states that the IAM root user should not have access keys.
| Rule | IAM root user should not have access keys |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
IAM Rule: Root User Access Keys for CISA Cyber Essentials
Description:
This rule ensures that the root user in AWS Identity and Access Management (IAM) does not have any access keys associated with it. This is important to minimize the risk of unauthorized access and potential security breaches to the AWS account.
Having access keys for the root user poses a significant security risk because they provide unrestricted access and control over all resources within the AWS account. To align with the CISA Cyber Essentials guidelines, it is necessary to disable access keys for the root user.
Troubleshooting Steps and Remediation:
1. Verify the existence of access keys for the root user:
To check if access keys are associated with the root user, follow these steps:
- 1.Log in to the AWS Management Console with the root user credentials.
- 2.Open the IAM service.
- 3.Click on "Users" from the left-hand menu.
- 4.Look for the user named "root" in the user list.
- 5.Click on the username to access the user details.
- 6.Check for any access keys listed under "Access keys".
- 7.If there are access keys present, proceed to the next step; otherwise, no further action is required.
2. Disable and delete the access keys:
To disable and delete access keys for the root user, perform the following:
- 1.Select the access key(s) associated with the root user.
- 2.Click on "Actions" and select "Make inactive" to disable the access key(s).
- 3.After disabling the access key(s), select them again.
- 4.Click on "Actions" and select "Delete" to permanently remove the access key(s).
- 5.Confirm the deletion when prompted.
3. Remove permissions for IAM user with access keys:
If an IAM user with access keys exists and has administrative privileges, it is important to remove those permissions to align with the CISA Cyber Essentials policy. Follow these steps:
- 1.Identify the IAM user associated with the access keys that have been disabled or deleted.
- 2.Open the IAM service in the AWS Management Console.
- 3.Click on "Users" from the left-hand menu.
- 4.Search for the user associated with the access keys.
- 5.Click on the username to access the user details.
- 6.Click on the "Permissions" tab.
- 7.Review and assess the user's permissions.
- 8.Remove any administrative or excessive permissions by clicking on the relevant permissions and selecting "Remove" or adjusting policies to align with the user's appropriate access levels.
4. Enable multi-factor authentication (MFA) for root user:
To enhance the security of the root user account, it is highly recommended to enable multi-factor authentication (MFA). Follow these steps to enable MFA for the root user:
- 1.Open the IAM service in the AWS Management Console.
- 2.Click on "Users" from the left-hand menu.
- 3.Look for the user named "root" in the user list.
- 4.Click on the username to access the user details.
- 5.Click on the "Security credentials" tab.
- 6.Scroll down to the "Multi-factor authentication (MFA)" section.
- 7.Click on "Manage MFA".
- 8.Follow the instructions provided to enable MFA for the root user.
Conclusion:
By adhering to the rule and removing access keys from the root user, you significantly reduce the risk of unauthorized access to your AWS account. Disabling access keys and enabling MFA for the root user are essential steps in achieving a more secure and compliant AWS environment, aligning with the guidelines set by CISA Cyber Essentials.