VIEW RULE IN DATADOG VIEW MISCONFIGURATIONS

Description

The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.

Rationale

Removing access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.

Remediation

From the console

1. Sign in to the AWS Management Console as ‘root’ and open the IAM console at https://console.aws.amazon.com/iam/.
2. Click <Root_Account_Name> at the top right and select My Security Credentials from the drop-down list.
3. In the pop-up, click Continue to Security Credentials.
4. Click Access Keys (Access Key ID and Secret Access Key).
5. Under the Status column, if there are any keys that are in the active state, either:
   • Click Make Inactive - (Temporarily disables key - may require it again)
   • Click Delete - (Deleted keys cannot be recovered)

References

1. http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
2. http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
3. http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html
4. https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/

Additional Information: IAM User account “root” for us-gov cloud regions is not enabled by default. However, on request to AWS support enables root access only through access-keys (CLI, API methods) for us-gov cloud region.