Control: 4 IAM root user access key should not exist
Description
This control checks whether user access keys exist for the root user.
Remediation
To delete access keys
- Log in to your account using the root user credentials.
- Choose the account name near the top-right corner of the page and then choose My Security Credentials.
- In the pop-up warning, choose Continue to Security Credentials.
- Choose
Access keys (access key ID and secret access key)
. - To permanently delete the key, choose Delete and then choose Yes. You cannot recover deleted keys.
- If there is more than one root user access key, then repeat steps 4 and 5 for each key.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_iam_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_iam_4 --share
SQL
This control uses a named query:
select 'arn:' || partition || ':::' || account_id as resource, case when account_access_keys_present > 0 then 'alarm' else 'ok' end status, case when account_access_keys_present > 0 then 'Root user access keys exist.' else 'No root user access keys exist.' end reason , account_idfrom aws_iam_account_summary;