IAM root user should not be used

Description

Minimizing the use of the root account and adopting the principle of least privilege for access management reduces the risk of accidental changes and unintended disclosure of highly privileged credentials.

Console Remediation Steps

AWS recommends that users do not use the root user for everyday tasks (even administrative ones). It is a best practice to only use the root user to create your first individual user or conduct tasks that require root.

You can optionally delete the root user’s access key or mark it as inactive.

To delete the root user’s access key:

  • Logged in as the root user, navigate to IAM.

  • From the top navigation, select your account name > My Security Credentials.

  • If you see a warning about accessing the security credentials for your AWS account, choose Continue to Security Credentials.

  • Expand Access keys (access key ID and secret access key).

  • For any active access keys, select Make Inactive and Click Delete. A confirmation modal displays. Click Delete.

To make the root user’s access key inactive:

  • Logged in as the root user, navigate to IAM.

  • From the top navigation, select your account name > My Security Credentials.

  • If you see a warning about accessing the security credentials for your AWS account, choose Continue to Security Credentials.

  • Expand Access keys (access key ID and secret access key).

  • For any active access keys, select Make Inactive.

CLI Remediation Steps

AWS recommends that users do not use the root user for everyday tasks (even administrative ones). It is a best practice to only use the root user to create your first individual user or conduct tasks that require root.

You can optionally delete the root user’s access key or mark it as inactive.

To delete the root user’s access key:

  • aws iam delete-access-key --access-key-id <access key id> --user-name <username>

To make the root user’s access key inactive:

  • aws iam update-access-key --access-key-id <access key id> --status Inactive --user-name <username>