An AWS account root user has a programmatic access key

Docs > Datadog Security > OOTB Rules > An AWS account root user has a programmatic access key

Description

An AWS account root user is associated with an access key.

Root user access keys provide administrative access to your AWS account. Attackers regularly target IAM access keys to compromise organizations. If an attacker gains access to your root user access key, they can perform all administrative actions on your account. A best practice is to create least-privileged IAM access keys for necessary functions to avoid a complete account compromise.

Remediation

In AWS console, click <Root_Account_Name> and select My Security Credentials from the drop-down list.
Click Continue to Security Credentials.
Click Access Keys (Access Key ID and Secret Access Key).
If there are any keys that are in the active state in the Status column, do one of the following:
- Click Make Inactive to temporarily disable the key.
- Click Delete to permanently delete the key.

Note: The IAM account root user for Gov Cloud (US) cloud regions is not enabled by default. However, you can submit a request to AWS support to enable root access only through access-keys (CLI, API methods) for Gov Cloud (US) cloud regions.