In recent years, the number of potential uses for the AWS root user have decreased significantly. As a result, it should not be used frequently. Enabling monitoring and alerts on root user usage in your environment is recommended.
The AWS root user has unlimited privileges and should not be used for daily operations.
The AWS root user has unlimited privileges, including the ability to access and remove account data. Regular usage of the root user creates a substantial risk, as its credentials do not expire and can easily be leaked.
Identify affected resources
To check if the root user of an AWS account was recently used, generate an IAM credential report from the AWS CLI or AWS Console.
You can use the following fields, on rows where
user is set to
Remediate vulnerable resources
Usage of the root user is only required for a very limited number of tasks and should not be used on a daily basis.
It is recommended to not generate any access keys for the root user, securely store its password in a password vault, and raise an alert when it's used.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSPM Rule | Root account credentials have not been used in the past 30 days".
AWS account root user
FTC Chegg Complaint
AWS root Account Takeover
Behind the scenes in the Expel SOC: Alert-to-fix in AWS