The root user is the most privileged user in AWS. A single access key pair leak of the root user credential could have a significant impact on your business. Audit, revoke, and monitor the lifecycle of root user keys in your environment.
The AWS root user has no present documented use cases that require programmatic access. If this misconfiguration is present in the environment, consider it a maximum priority to remediate.
root user has virtually unlimited privileges, including accessing and removing all data in the account. Having active access keys for the root user is both unnecessary and risky, as access keys do not expire and are frequently leaked.
Identify affected resources
You can generate an IAM credentials report from the AWS CLI or AWS Console to check if the root user of a specific AWS account has active access keys.
You can use the following fields, on rows where
user is set to
Remediate vulnerable resources
Usage of the root user is only required for a very limited number of tasks and should not be used on a daily basis.
It is recommended to not generate any access key for the root user. You can remove root user access keys only from the AWS Console.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSPM Rule | No root account access key exists".
AWS account root user
FTC Chegg Complaint
AWS root Account Takeover
Behind the scenes in the Expel SOC: Alert-to-fix in AWS