Rule: IAM Root User Should Not Have Access Keys
This rule ensures that the IAM root user does not have any access keys for security purposes.
| Rule | IAM root user should not have access keys |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description
According to the NIST 800-171 Revision 2 security guidelines, it is recommended to limit access keys for the IAM root user. The IAM root user has unrestricted access to all AWS resources and services in the account, making it a highly privileged account. By removing access keys for the IAM root user, you minimize the risk of unauthorized access and potential security breaches.
Troubleshooting Steps
If the IAM root user has access keys, it indicates a violation of the NIST 800-171 security policy. Follow the below troubleshooting steps to remediate the issue:
- 1.
Identify IAM Root User: Log in to the AWS Management Console using the root user credentials.
- 2.
Navigate to IAM: Open the IAM service by searching for IAM in the AWS Management Console.
- 3.
Search for Root User: In the IAM console, click on "Users" in the left-hand navigation pane. Search for the user named "AWS Account Root User."
- 4.
Verify Access Keys: Check if access keys are associated with the IAM root user. Access keys allow programmatic access to AWS resources.
Remediation Steps
To remediate the violation and comply with the NIST 800-171 Revision 2 security guidelines, follow the steps below:
- 1.
Navigate to IAM: Log in to the AWS Management Console using the root user credentials, and open the IAM service.
- 2.
Search for Root User: In the IAM console, click on "Users" in the left-hand navigation pane and search for the user named "AWS Account Root User."
- 3.
Delete Access Keys: Select the checkbox next to the root user and click on the "Security credentials" tab below.
- 4.
Delete Existing Access Keys: If any access key is listed, delete them by clicking the "Delete" button next to each key.
- 5.
Create and Use IAM User: Instead of utilizing the root user for day-to-day tasks, create a new IAM user with the necessary permissions for specific tasks or roles.
- 6.
Grant Appropriate Permissions: Assign required permissions to the new IAM user based on the principle of least privilege (POLP) to ensure they only have access to the necessary AWS resources.
- 7.
Enable Multi-Factor Authentication (MFA): Enable MFA for the new IAM user to add an extra layer of security and prevent unauthorized access.
- 8.
Set Strong Password Policy: Configure a secure password policy for the IAM user to prevent weak or easily guessable passwords.
- 9.
Disable Access Key Usage for Root User: To prevent future access key creation for the root user, enable the "Prevent access keys for the root user" option in the IAM console.
By following these steps, access keys for the IAM root user will be removed, reducing the potential security risks associated with this highly privileged account.