Avoid AWS Root User Usage

Overview

This check verifies that the AWS account root user has not been used within the last 24 hours. The root user has unrestricted access to your entire AWS account, so it should only be used for tasks that specifically require root credentials.

Risk

Using the root user for day-to-day tasks creates serious security risks:

• Data exposure: The root user can access everything in your account, increasing the blast radius if credentials are compromised
• No audit trail granularity: Actions performed as root cannot be attributed to individual team members
• Account takeover impact: If root credentials are stolen, attackers gain complete control
• Reduced anomaly detection: Routine root usage makes it harder to detect suspicious activity

Remediation Steps

Prerequisites

• Access to the AWS Console with root user credentials (one final time)
• An IAM user or IAM Identity Center (SSO) user with administrator permissions for ongoing work

Setting up an alternative admin user

If you don't already have an admin user, create one before discontinuing root access:

Option A: IAM Identity Center (recommended for organizations)

1. Go to IAM Identity Center in the AWS Console
2. Create or connect your identity source
3. Create a user and assign the AdministratorAccess permission set

Option B: IAM User

1. Go to IAM > Users > Create user
2. Enable console access and set a strong password
3. Attach the AdministratorAccess policy
4. Enable MFA for the new user

AWS Console Method

1. Sign in as root to the AWS Console at https://console.aws.amazon.com/
2. Click your account name in the top-right corner
3. Select Security credentials
4. Scroll to the Access keys section
5. If any access keys exist, click Actions > Delete for each one
6. Sign out of the root account
7. From now on, use your IAM or IAM Identity Center user for all tasks
8. Wait 24 hours for this check to pass

Important: After removing root access keys, store your root credentials securely (e.g., in a password manager or safe) for the rare occasions when root access is required.

AWS CLI (optional)

Check when root was last used:

First, generate and retrieve the credential report:

aws iam generate-credential-report --region us-east-1

aws iam get-credential-report --region us-east-1 \
    --query 'Content' --output text | base64 --decode | head -2

This shows the root user's password_last_used and access_key_*_last_used_date columns.

Delete root access keys:

Root access keys must be deleted from the console. The CLI cannot delete root user access keys because:

• The delete-access-key command requires either a --user-name or runs in the context of the calling IAM user
• Root is not an IAM user and cannot be specified as --user-name

Use the console method above to delete root access keys.

CloudFormation (optional)

CloudFormation cannot manage root user credentials directly. Root account security settings must be configured manually through the AWS Console.

However, you can use CloudFormation to create IAM users or roles that serve as alternatives to root:

AWSTemplateFormatVersion: '2010-09-09'
Description: Create an admin IAM user to avoid root usage

Resources:
  AdminUser:
    Type: AWS::IAM::User
    Properties:
      UserName: admin-user
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess
      Tags:
        - Key: Purpose
          Value: Root user alternative

  AdminUserAccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref AdminUser
    # Note: Store the secret key securely - it's only available at creation time

Outputs:
  AdminUserName:
    Description: Admin user name
    Value: !Ref AdminUser
  AdminAccessKeyId:
    Description: Admin user access key ID
    Value: !Ref AdminUserAccessKey
  AdminSecretAccessKey:
    Description: Admin user secret access key (store securely!)
    Value: !GetAtt AdminUserAccessKey.SecretAccessKey

Important: This template outputs the secret access key. In production, use AWS Secrets Manager instead.

Terraform (optional)

Terraform cannot manage root user credentials directly. Root account security settings must be configured manually through the AWS Console.

However, you can use Terraform to create IAM users or roles as alternatives to root:

# Create an admin IAM user to avoid root usage
resource "aws_iam_user" "admin" {
  name = "admin-user"

  tags = {
    Purpose = "Root user alternative"
  }
}

resource "aws_iam_user_policy_attachment" "admin_access" {
  user       = aws_iam_user.admin.name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

# Optional: Create access keys (store securely!)
resource "aws_iam_access_key" "admin" {
  user = aws_iam_user.admin.name
}

output "admin_access_key_id" {
  description = "Admin user access key ID"
  value       = aws_iam_access_key.admin.id
}

output "admin_secret_access_key" {
  description = "Admin user secret access key"
  value       = aws_iam_access_key.admin.secret
  sensitive   = true
}

Better approach: Use IAM Identity Center (SSO) for human access and IAM roles for programmatic access.

Verification

After completing the remediation:

1. Wait 24 hours (the check looks at the last 24-hour period)
2. Re-run the Prowler check:

   prowler aws --check iam_avoid_root_usage

3. Confirm the check now passes

Manual verification via credential report

Generate and review the credential report:

aws iam generate-credential-report --region us-east-1

aws iam get-credential-report --region us-east-1 \
    --query 'Content' --output text | base64 --decode

Look at the first row (root user) and verify:

• password_last_used is more than 24 hours ago (or no_information)
• access_key_1_active is false
• access_key_2_active is false

Additional Resources

• AWS Root User Best Practices
• Tasks That Require Root User Credentials
• Getting Started with IAM Identity Center
• Credential Reports in IAM

Notes

• Legitimate root use cases: Some tasks require root access, such as changing account settings, closing the account, or restoring IAM permissions. For these, use root briefly and then sign out.
• MFA is critical: Always enable MFA on the root account, even if you rarely use it. This is covered by a separate Prowler check (iam_root_mfa_enabled).
• Multi-person approval: Consider implementing a break-glass procedure requiring multiple approvals before root credentials can be accessed.
• Alerting: Set up CloudWatch alarms or EventBridge rules to notify you whenever root signs in. This is covered by check cloudwatch_log_metric_filter_root_usage.