About
The root user is the most privileged user in AWS. A single access key pair leak of the root user credential could have a significant impact on your business. Audit, revoke, and monitor the lifecycle of root user keys in your environment.
Understanding Impact
Business Impact
The AWS root user has no present documented use cases that require programmatic access. If this misconfiguration is present in the environment, consider it a maximum priority to remediate.
Technical Impact
The AWS root user has virtually unlimited privileges, including accessing and removing all data in the account. Having active access keys for the root user is both unnecessary and risky, as access keys do not expire and are frequently leaked.
Identify affected resources
You can generate an IAM credentials report from the AWS CLI or AWS Console to check if the root user of a specific AWS account has active access keys.
You can use the following fields, on rows where user is set to <root_user>:
access_key_1_activeandaccess_key_1_last_used_dateaccess_key_2_activeandaccess_key_2_last_used_date
Remediate vulnerable resources
Usage of the root user is only required for a very limited number of tasks and should not be used on a daily basis.
It is recommended to not generate any access key for the root user. You can remove root user access keys only from the AWS Console.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | No root account access key should exist".
References
AWS account root user
aws documentation
FTC Chegg Complaint
ftc.gov
AWS root Account Takeover
medium.com
Ubiquity breach
web.archive.org
Behind the scenes in the Expel SOC: Alert-to-fix in AWS
expel.io