Root Account Has No Active Access Keys

Overview

This check verifies that your AWS root user does not have any active access keys. The root user is the most privileged identity in your AWS account and should never be used for everyday tasks or automation.

Risk

Active root access keys are a critical security risk:

• Complete account compromise: Anyone with root access keys has unrestricted access to everything in your AWS account
• Data theft: Attackers can read, copy, or export all your data
• Resource destruction: Attackers can delete any resource, including backups
• Lockout risk: Attackers can change passwords and lock out administrators
• Bypasses MFA: Access keys can work even if MFA is enabled on the console, providing a backdoor
• Long-lived credentials: Unlike temporary credentials, access keys don't expire automatically

Remediation Steps

Prerequisites

• Root user credentials (email and password)
• MFA device for the root account (strongly recommended)

AWS Console Method

1. Sign in as the root user

   • Go to the AWS Console sign-in page
   • Select Root user
   • Enter your root account email address and password

2. Navigate to security credentials

   • Click your account name in the top-right corner
   • Select Security credentials from the dropdown menu

3. Find the Access Keys section

   • Scroll down to the Access keys section
   • You will see a list of any existing access keys and their status

4. Delete active access keys

   • For each key with status Active:
     • Click Actions next to the key
     • Select Delete
     • Confirm the deletion when prompted

5. Verify no active keys remain

   • The Access keys section should show no active keys
   • If you see "You do not have any access keys" - you're done!

AWS CLI (optional)

Important: You cannot delete root access keys using the AWS CLI while authenticated as a regular IAM user. The root user must delete their own keys via the console. However, you can verify the status of root access keys using the IAM credential report.

Generate and download a credential report:

# Generate the credential report
aws iam generate-credential-report --region us-east-1

# Wait a few seconds for the report to generate, then download it
aws iam get-credential-report --region us-east-1 --query 'Content' --output text | base64 --decode > credential-report.csv

Check for root access keys in the report:

# View the root user row (first data row after header)
head -2 credential-report.csv | tail -1 | cut -d',' -f1,9,11,14,16

The output columns are:

• user (should be <root_account>)
• access_key_1_active (should be false)
• access_key_1_last_used_date
• access_key_2_active (should be false)
• access_key_2_last_used_date

If either access_key_1_active or access_key_2_active shows true, you must delete those keys via the console.

Prevention with Service Control Policies (optional)

If you use AWS Organizations, you can create a Service Control Policy (SCP) that denies the creation of root access keys across your organization. Note that SCPs cannot prevent root from creating keys in the management account itself.

Example SCP to deny root access key creation in member accounts:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRootAccessKeyCreation",
      "Effect": "Deny",
      "Action": "iam:CreateAccessKey",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}

Apply this SCP to your organization or organizational units (OUs) via the AWS Organizations console.

Verification

After deleting the access keys:

1. Console verification

   • Return to the Security credentials page for the root user
   • Confirm the Access keys section shows no active keys

2. Credential report verification

   • Generate a new credential report (wait 4 hours for immediate verification, or check the next day)
   • Verify that access_key_1_active and access_key_2_active are both false for the root user

3. Re-run Prowler

   • Execute the Prowler check again to confirm remediation:

     prowler aws --checks iam_no_root_access_key --region us-east-1

Additional Resources

• AWS Best Practices for Root User
• Managing Access Keys
• Getting IAM Credential Reports
• AWS Security Best Practices

Notes

• This is a one-time fix: Once you delete root access keys, avoid creating new ones
• Use IAM users or roles instead: For programmatic access, create IAM users or roles with appropriate permissions
• Enable MFA on root: Always enable MFA on your root account as an additional security layer
• Root should be break-glass only: Reserve root access for emergencies like account recovery or specific tasks that only root can perform
• Monitor for new keys: Set up CloudWatch alarms or use AWS Config rules to alert if root access keys are created in the future