CRITICAL IAM · CIS 1.4

Root account access keys

Check ID: aws-iam-008

AWS-IAM-008 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if the root account has active access keys. Root access keys grant unrestricted access to all AWS resources and cannot be restricted by IAM policies.

Why it matters

Root access keys are the single most dangerous credential in any AWS account. They provide unrestricted, irrevocable access to every AWS service and resource, including the ability to close the account itself. Unlike IAM user keys, root access keys cannot be restricted by SCPs, permission boundaries, or IAM policies. If compromised, an attacker has absolute control - they can delete all resources, create backdoor users, disable all logging, and exfiltrate every byte of data. The 2023 Mitiga research report documented multiple incidents where compromised root access keys led to complete account takeover within minutes, including cryptocurrency mining, data destruction, and ransom demands. AWS explicitly recommends never creating root access keys for any reason.

Common causes

Root access keys are often created during the initial AWS account setup when the root account is the only identity available. Legacy scripts and automation tools may have been configured with root keys years ago before IAM best practices were widely adopted. Some organizations create root keys as break-glass credentials without realizing that IAM roles with appropriate trust policies serve this purpose more safely.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Root access keys must be deleted via AWS Console:
# 1. Sign in as root: https://console.aws.amazon.com/
# 2. Go to: IAM > Security credentials > Access keys
# 3. Delete all access keys
# Alternatively, use CLI if you have the root key (not recommended):
# aws iam delete-access-key --access-key-id AKIAXXXXXXXXXXXXXXXX

Remediation: Terraform

# Root access keys cannot be managed via Terraform.
# Delete them via AWS Console and use IAM roles instead:
resource "aws_iam_role" "admin" {
  name = "admin-role"
  # Use this role instead of root access keys
}

Compliance mapping

This check maps to CIS 1.4 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related IAM checks

CRITICAL aws-iam-001

Root account MFA

HIGH aws-iam-002

IAM users MFA

MEDIUM aws-iam-003

Access key rotation

← All checks