Control: 1.7 Eliminate use of the 'root' user for administrative and daily tasks
Description
With the creation of an AWS account, a root user account is created. This root user is the most privileged user in an AWS account and has unrestricted access to and control over all resources in the account. It is highly recommended that the use of this root user to be avoided for everyday tasks.
By default IAM root user account for us-gov cloud regions is not enabled. However, on request AWS support can enable root user access keys only through CLI or API methods.
As the root user has unrestricted access to all the resources, it is dangerous to use for daily task. To avoid this it better to deactivate or delete any access keys associated with it. Also to change the root user password as necessary. Use of it, is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to mistakes.
Remediation
When you find that the root user account is being used for daily activity that includes administrative tasks that do not require the root user, perform the following action:
- Change the root user password.
- Deactivate or delete any access keys associated with the root user.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v140_1_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v140_1_7 --share
SQL
This control uses a named query:
iam_root_last_used