Active root access key and secret key
Risk level: High
Rule ID: IAM-007
This rule checks for and lists AWS Accounts with root access key and secret key activated. nOps recommends that you use IAM roles and disable active keys when performing programmatic queries to keep your cloud environment safe and conform with the Well-Architected security best practices.
This rule can help you with the following:
- AWS Well-Architected Framework Lens
- AWS Foundational Technical Review (FTR) Lens
Audit
Perform the following steps to verify if your AWS root account has any access keys in use:
Using AWS Console
1. Sign in to the AWS Management Console using your root credentials.
2. In the top menu, click your username dropdown button and select the My Security Credentials option.
3. Navigate to the Access keys (access key ID and secret access key) section and click to expand it.
4. If you see any Access Key that has a status Active, your AWS account is not following the best practices and has root access keys enabled.
You must deactivate these root account access keys to protect your account against unauthorized access.
5. Repeat steps 1 – 4 for other AWS accounts' root users.
Using AWS CLI
1. Execute the get-credential-report command to retrieve your AWS account's credential report. The report details all users in your account as well as the status of their various credentials, which may include passwords, access keys, and multi-factor authentication (MFA) devices.
aws iam get-credential-report
a. If the command returns an error, then there is no credential report existing in your account
In this case, you need to generate the credential report first using the generate-credential-report command as shown below:
aws iam generate-credential-report
**Output**
{
"State": "STARTED",
"Description": "No report exists. Starting a new report generation task."
}
Note that a report is stored for up to four hours in your AWS account after it's been created.
b. Execute the generate-credential-report repeatedly until the State status changes to Completed.
aws iam generate-credential-report
**Output**
{
"State": "COMPLETE"
}
c. Once the report is generated, run the get-credential-report command ****to retrieve it in CSV format.
aws iam get-credential-report
**Output**
"Content": "dXNlcixhcm4sdXNlcl9jcmVhdGlvbl90aW1lLHBhc3N3b3JkX2VuYWJsZWQscGFzc3dvcmRfbGFzdF91c2VkLHBhc3N3b3JkX2xhc3RfY2hhbmdlZCxwYXNzd29yZF9uZXh0X3JvdGF0aW9uLG1mYV9hY3RpdmUsYWNjZXNzX2tleV8xX2FjdGl2ZSxhY2Nlc3Nfa2V5XzFfbGFzdF9yb3RhdGVkLGFjY2Vzc19rZXlfMV9sYXN0X3VzZWRfZGF0ZSxhY2Nlc3Nfa2V5XzFfbGFzdF91c2VkX3JlZ2lvbixhY2Nlc3Nfa2V5XzFfbGFzdF91c2VkX3NlcnZpY2UsYWNjZXNzX2tleV8yX2FjdGl2ZSxhY2Nlc3Nfa2V5XzJfbGFzdF9yb3RhdGVkLGFjY2Vzc19rZXlfMl9sYXN0X3BCnNtYXJ0YWRtaW4sYXJuOmF3czppYW06OjY0MDA3MDIzMDAzNjp1c2VyL3NtYXJ0YWRtaW4sMjAyMS0wNi0yMFQwNToxNjo0OSswMDowMCx0cnVlLDIwMjEtMTEtMTRUMDg6NTY6MzArMDA6MDAsMjAyMS0wNi0yMFQwNToxNjo1MSswMDowMCxOL0EsZmFsc2UsZmFsc2UsMjAyMS0wNi0yMFQwNToxNjo1MCswMDowMCxOL0EsTi9BLE4vQSx0cnVlLDIwMjEtMDctMTdUMDI6NTY6NTMrMDA6MDAsMjAyMS0xMS0xM1QyMTowMDowMCswMDowMCx1cy1lYXN0LTEsaWFtLGZhbHNlLE4vQSxmYWxzZSxOL0E=",
"ReportFormat": "text/csv",
"GeneratedTime": "2021-11-14T09:16:00+00:00"
}
2. Note that the Content is Base64 encoded. Copy the content and decode it to store in a CSV file.
echo "dXNlcixhcm4sdXNlcl9jcmVhdGlvbl90aW1lLHBhc3N3b3JkX2VuYWJsZWQscGFzc3dvcmRfbGFzdF91c2VkLHBhc3N3b3JkX2xhc3RfY2hhbmdlZCxwYXNzd29yZF9uZXh0X3JvdGF0aW9uLG1mYV9hY3RpdmUsYWNjZXNzX2tleV8xX2FjdGl2ZSxhY2Nlc3Nfa2V5XzFfbGFzdF9yb3RhdGVkLGFjY2Vzc19rZXlfMV9sYXN0X3VzZWRfZGF0ZSxhY2Nlc3Nfa2V5XzFfbGFzdF91c2VkX3JlZ2lvbixhY2Nlc3Nfa2V5XzFfbGFzdF91c2VkX3NlcnZpY2UsYWNjZXNzX2tleV8yX2FjdGl2ZSxhY2Nlc3Nfa2V5XzJfbGFzdF9yb3RhdGVkLGFjY2Vzc19rZXlfMl9sYXN0X3BCnNtYXJ0YWRtaW4sYXJuOmF3czppYW06OjY0MDA3MDIzMDAzNjp1c2VyL3NtYXJ0YWRtaW4sMjAyMS0wNi0yMFQwNToxNjo0OSswMDowMCx0cnVlLDIwMjEtMTEtMTRUMDg6NTY6MzArMDA6MDAsMjAyMS0wNi0yMFQwNToxNjo1MSswMDowMCxOL0EsZmFsc2UsZmFsc2UsMjAyMS0wNi0yMFQwNToxNjo1MCswMDowMCxOL0EsTi9BLE4vQSx0cnVlLDIwMjEtMDctMTdUMDI6NTY6NTMrMDA6MDAsMjAyMS0xMS0xM1QyMTowMDowMCswMDowMCx1cy1lYXN0LTEsaWFtLGZhbHNlLE4vQSxmYWxzZSxOL0E=" | base64 -d >> credentials.csv
3. Open the credentials.csv file and search for column names with the access_key_N_active pattern (e.g., *access_key_1_active, access_key_2_active, etc.*) for the AWS root account. If there is any value set to TRUE for the root user, then your AWS root account has at least one access key active.
4. Repeat steps 1 – 3 for each AWS root account that you want to examine.
Remediation / Resolution
Using AWS Console
Perform the following steps to remove any active access keys for your AWS root account.:
1. Sign in to the AWS Management Console using your root credentials.
2. In the top menu, click your username dropdown button and select the My Security Credentials option.
3. Navigate to the Access keys (access key ID and secret access key) section and left-click to expand.
4. As mentioned in the audit section, check for any keys with the status set to Active and click on the Delete link available in the Actions column.
5. Click the Deactivate Access Key option and enter the Access Key ID.
6. Delete to confirm your action.
The access key status should change now from Active to Deleted.
Using AWS CLI
Currently, deleting AWS root access keys via CLI is not supported.
Still Need Help?
Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.
