IAM Root User No Access Keys Rule
This rule states that the IAM root user should not have access keys for improved security.
| Rule | IAM root user should not have access keys |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description
The IAM root user should not have access keys for NIST 800-53 Revision 5 compliance. The root user is the most privileged user in an AWS account and should not have permanent access keys assigned to it for security reasons. NIST 800-53 Revision 5 provides a set of security controls and guidelines for federal information systems in the United States.
Troubleshooting Steps
- 1.
Identify if root user access keys exist: First, check if access keys are associated with the root user by logging in to the AWS Management Console.
- 2.
Verify root user access: Confirm if the IAM user is the root user by doing the following:
- Go to the IAM service in the AWS Management Console.
- Click on "Users" and search for the user named "root".
- Verify that no access keys are associated with the root user account.
Remediation Steps
To remediate the issue of the IAM root user having access keys for NIST 800-53 Revision 5 compliance, follow the steps below:
- 1.
Revoke existing access keys:
- Log in to the AWS Management Console with root user credentials.
- Go to the IAM service.
- Click on "Users" and search for the user named "root".
- Select the root user and click on the "Security credentials" tab.
- In the "Access keys" section, if any access key is listed, select it and click on "Delete access key".
- Confirm the deletion when prompted.
- 2.
Enable multi-factor authentication (MFA) for root user:
- While still on the root user's "Security credentials" tab, scroll down to the "Multi-factor authentication (MFA)" section.
- Click on "Manage MFA" to set up MFA for the root user.
- Choose the appropriate MFA device option (virtual or hardware) and follow the instructions provided. This adds an extra layer of security to the root user account.
- 3.
Create administrator IAM user:
- To ensure administrative tasks can still be performed, create a new IAM user with administrative permissions.
- Go to the IAM service in the AWS Management Console.
- Click on "Users" and then "Add user".
- Provide a user name, enable programmatic access, and add the user to the administrative group (e.g., Administrators).
- Proceed to configure the user by following the provided instructions.
- 4.
Verify new IAM user access:
- Log out of the root user account and log in using the newly created IAM user's credentials.
- Perform administrative tasks and confirm that the user has the necessary access rights.
Following these steps will remove access keys from the root user account and enhance the security of your AWS environment while ensuring adherence to NIST 800-53 Revision 5 compliance.