Active root user access keys







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




The root user is the most privileged user in AWS. A single access key pair leak of the root user credential could have a significant impact on your business. Audit, revoke, and monitor the lifecycle of root user keys in your environment.

Understanding Impact

Business Impact

The AWS root user has no present documented use cases that require programmatic access. If this misconfiguration is present in the environment, consider it a maximum priority to remediate.

Technical Impact

The AWS root user has virtually unlimited privileges, including accessing and removing all data in the account. Having active access keys for the root user is both unnecessary and risky, as access keys do not expire and are frequently leaked.

Identify affected resources

You can generate an IAM credentials report from the AWS CLI or AWS Console to check if the root user of a specific AWS account has active access keys.

You can use the following fields, on rows where user is set to <root_user>:

  • access_key_1_active and access_key_1_last_used_date
  • access_key_2_active and access_key_2_last_used_date

Remediate vulnerable resources

Usage of the root user is only required for a very limited number of tasks and should not be used on a daily basis.

It is recommended to not generate any access key for the root user. You can remove root user access keys only from the AWS Console.

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | No root account access key should exist".


AWS account root user

aws documentation

FTC Chegg Complaint

AWS root Account Takeover

Ubiquity breach

Behind the scenes in the Expel SOC: Alert-to-fix in AWS

Did you find this article helpful?

Related Vulnerabilities and Threats