About
In recent years, the number of potential uses for the AWS root user have decreased significantly. As a result, it should not be used frequently. Enabling monitoring and alerts on root user usage in your environment is recommended.
Understanding Impact
Business Impact
The AWS root user has unlimited privileges and should not be used for daily operations.
Technical Impact
The AWS root user has unlimited privileges, including the ability to access and remove account data. Regular usage of the root user creates a substantial risk, as its credentials do not expire and can easily be leaked.
Identify affected resources
To check if the root user of an AWS account was recently used, generate an IAM credential report from the AWS CLI or AWS Console.
You can use the following fields, on rows where user is set to <root_user>:
password_enabledandpassword_last_usedaccess_key_1_activeandaccess_key_1_last_used_dateaccess_key_2_activeandaccess_key_2_last_used_date
Remediate vulnerable resources
Usage of the root user is only required for a very limited number of tasks and should not be used on a daily basis.
It is recommended to not generate any access keys for the root user, securely store its password in a password vault, and raise an alert when it's used.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | Root account credentials should be inactive for the previous 30 days".
References
AWS account root user
aws documentation
FTC Chegg Complaint
ftc.gov
AWS root Account Takeover
medium.com
Ubiquity breach
web.archive.org
Behind the scenes in the Expel SOC: Alert-to-fix in AWS
expel.io