IAM root user access key should not exist

Description

Removing access keys associated with the root account limits vectors by which the account can be compromised. It also encourages the creation and use of role based accounts that are least privileged.

Console Remediation Steps

  • Logged in as the root user, navigate to IAM.

  • From the top navigation, select your account name > My Security Credentials.

  • If you see a warning about accessing the security credentials for your AWS account, choose Continue to Security Credentials.

  • Expand Access keys (access key ID and secret access key).

  • For any active access keys, select Make Inactive and Click Delete. A confirmation modal displays. Click Delete.

CLI Remediation Steps

To delete the root user’s access key:

  • aws iam delete-access-key --access-key-id <access key id> --user-name <username>