---
title: Root account has active access keys
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Root account has active access keys
---

# Root account has active access keys

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-root-account-has-active-access-keys` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** High

**Category:** Insecure Configurations

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/iam_access_key_module.html)

### Description{% #description %}

Active root access keys grant full, account-wide privileges. A leaked key could lead to immediate and complete compromise of the environment. This rule inspects Ansible tasks using the `amazon.aws.iam_access_key` or `iam_access_key` modules and flags entries where `user_name` contains "root", the `active` property is `true` (or absent, since `true` is the default), and `state` is not `absent`.

The `active` property must not be `true` for root account entries. Resources should either omit root access keys or set `active` to `false`. Any task with an active root access key is flagged. Remove or deactivate root access keys and use IAM users or roles with least privilege for automation and service access.

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
#this code is a correct code for which the query should not find any result
- name: Create root access key but inactive
  amazon.aws.iam_access_key:
    user_name: root
    active: false
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
#this is a problematic code where the query should report a result(s)
- name: Create root access key
  amazon.aws.iam_access_key:
    user_name: root
    state: present
```