This rule ensures IAM root user does not have any access keys for enhanced security measures.
Rule | IAM root user should not have access keys |
Framework | FedRAMP Low Revision 4 |
Severity | ✔ Medium |
Rule Description:
The rule stipulates that the AWS Identity and Access Management (IAM) root user should not have access keys for environments following the FedRAMP Low framework, specifically Revision 4. The IAM root user is the initial account created during the AWS account setup and possesses complete administrative access to all AWS resources within the account. Access keys, comprising the access key ID and secret access key, provide programmatic access to AWS services, and their existence poses potential security risks. Compliance with this rule ensures that the root user does not have access keys, enhancing the overall security posture of the environment.
Remediation:
To adhere to this rule, you must verify that the root user's access keys are not enabled. Although access keys for the root account are created automatically during AWS account creation, it is necessary to disable or delete them to comply with the FedRAMP Low Revision 4 policy. Follow the step-by-step guide below to remediate this issue:
Open the AWS Management Console and log in to the AWS account using root credentials.
Navigate to the IAM service by searching for "IAM" in the search bar or finding it under the "Security, Identity & Compliance" category.
In the IAM console, select "Users" from the sidebar.
Locate the "root" user in the user list and click on its username.
In the "Security credentials" tab, verify if any access keys are listed.
If access keys are present, select the access key and choose the "Delete Access Key" button. Confirm the deletion in the subsequent prompt.
If no access keys are listed, you are already compliant with the rule.
Troubleshooting Steps:
If you encounter any issues deleting access keys for the root user, ensure that you have logged in using the root user credentials.
If the access key deletion fails due to any other error, carefully review the error message displayed on the AWS Management Console. The message will provide information about the problem, enabling you to diagnose and address the specific issue.
Additional Information:
It is crucial to understand that disabling or deleting access keys for the root user is a security best practice and should only be carried out if no applications, scripts, or third-party services are reliant on these keys for programmatic access. Carefully evaluate the impact on any existing workflows or dependencies before taking action.
As part of ongoing security and compliance practices, consider adopting IAM best practices such as using IAM roles instead of root user access whenever possible and enabling multi-factor authentication (MFA) for the root user to add an extra layer of protection.
Regularly review and audit access keys associated with IAM user accounts to ensure continuous compliance with access control policies and to mitigate potential security risks.