AWSOverview
The "root" account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the "root" account be removed.
Rationale
Removing access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.
Remediation guidance
Perform the following to delete or disable active root access keys being used
Via the AWS Console
- Sign in to the AWS Management Console as Root and open the IAM console at https://console.aws.amazon.com/iam/.
- Click on <Root_Account_Name> at the top right and select
Security Credentialsfrom the drop down list - On the pop out screen Click on
Continue to Security Credentials - Click on
Access Keys(Access Key ID and Secret Access Key) - Under the Status column if there are any Keys which are Active
- Click on
Make Inactive- (Temporarily disable Key - may be needed again) - Click
Delete- (Deleted keys cannot be recovered)
References
- http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
- http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
- http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html
- CCE-78910-7
- CIS CSC v6.0 #5.1
Multiple Remediation Paths
AWS
SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.
PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.
References for Service-Wide Patterns
- AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- AWS: deploy/adjust organization conformance packs and policy guardrails.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
AWS Root users with access key
Connectors
Covered asset types
Expected check: eq []
{
rootUsers(
where: {
hasIAMUserCredentials: {
OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
}
}
) {
connector {...AssetFragment}
}
}
