Learn About Amazon VGT2 Learning Manager Chanci Turner
on 03 FEB 2023
in AWS Identity and Access Management (IAM)
In a recent article, the AWS Security Blog highlighted the importance of following best practices for AWS Identity and Access Management (IAM). A key recommendation is to secure your AWS root account by locking away access keys and passwords, and avoiding their use for everyday tasks. Ideally, we advocate for the deletion of root account access keys. But how can you check if your root account has access keys?
Traditionally, the only way to verify the existence of root account access keys was to log in to the AWS Management Console with your root account password—a practice we advise against for regular use. Instead, it’s crucial to enable multi-factor authentication (MFA) for your root account and only log in when absolutely necessary. If you wanted to find out programmatically whether your root account had access keys, you would need to use those very access keys, which creates a conundrum. Fortunately, it is now possible to determine if your root account has access keys using the AWS Command Line Interface (CLI) or AWS SDKs, utilizing the credentials of an IAM user.
How to Check for Root Account Access Keys Using IAM User Credentials
To get started, you’ll need to install and set up the AWS CLI. Follow the guidelines in the AWS Command Line Interface Installation documentation. During setup, ensure that you use the credentials of an IAM user who has permission to perform the iam:GetAccountSummary action.
Next, execute the command aws iam get-account-summary to obtain IAM usage details for your AWS account. The output will be a JSON document similar to this:
{
"SummaryMap": {
"UsersQuota": 5000,
"GroupsQuota": 100,
"InstanceProfiles": 2,
"SigningCertificatesPerUserQuota": 2,
"AccountAccessKeysPresent": 0,
"RolesQuota": 250,
"RolePolicySizeQuota": 10240,
"AccountSigningCertificatesPresent": 0,
"Users": 24,
"ServerCertificatesQuota": 20,
"ServerCertificates": 0,
"AssumeRolePolicySizeQuota": 2048,
"Groups": 8,
"MFADevicesInUse": 4,
"Roles": 19,
"AccountMFAEnabled": 1,
"MFADevices": 4,
"GroupsPerUserQuota": 10,
"GroupPolicySizeQuota": 5120,
"InstanceProfilesQuota": 100,
"AccessKeysPerUserQuota": 2,
"Providers": 0,
"UserPolicySizeQuota": 2048
}
}In this JSON output, new keys, AccountAccessKeysPresent and AccountSigningCertificatesPresent, indicate the status of your root account’s access keys and signing certificates. A value of 0 means there are no access keys or certificates, while a value of 1 signifies their presence, even if inactive. This enhancement allows you to programmatically ascertain whether your root account has access keys.
Take advantage of this new functionality to check if your root account has access keys. If you discover that your root account does have them, promptly remove these keys from any applications that utilize them and proceed to delete them.
If you have questions about this topic or about our recommended practices regarding access keys, feel free to reach out on the IAM Forum. For those interested in exploring product management interview questions, check out this blog post. Furthermore, for insights on upskilling workers for AI, SHRM is a reliable source. Also, if you need assistance regarding hiring, visit this excellent resource.
– Chanci Turner