For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-root-account-has-active-access-keys.md. A documentation index is available at /llms.txt.

Root account has active access keys

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-root-account-has-active-access-keys

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Insecure Configurations

Learn More

Description

Access keys associated with the AWS root account grant persistent, account-wide credentials. If compromised, they can lead to full account takeover and loss of control over all resources.

In CloudFormation, AWS::IAM::AccessKey resources must not be associated with the root account. This rule flags Resources.<name>.Properties.UserName values that contain root (case-insensitive). Instead of creating or using root access keys, delete or deactivate any existing root keys, enable MFA on the root account, and provision IAM users or roles with least privilege for programmatic access.

Secure configuration example (associate access keys with an IAM user rather than the root account):

MyUser:
  Type: AWS::IAM::User
  Properties:
    UserName: app-user

MyAccessKey:
  Type: AWS::IAM::AccessKey
  Properties:
    UserName: !Ref MyUser

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CFNKeys:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: MyUser

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "CFNKeys": {
      "Type": "AWS::IAM::AccessKey",
      "Properties": {
        "UserName": "MyUser"
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CFNKeys:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: Root

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "CFNKeys": {
      "Type": "AWS::IAM::AccessKey",
      "Properties": {
        "UserName": "Root"
      }
    }
  }
}

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CFNKeys:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref rootUser
  rootUser:
    Type: AWS::IAM::User
    Properties:
      UserName: root