Root Account Credentials Usage

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access reports, select Credential report.

04 Choose Download Report to download the report that lists all your Amazon IAM users and the status of their credentials.

05 Open the downloaded file in your preferred CSV file editor and check the date/time value (timestamp) available in the password_last_used column for the <root_account> user to determine when the root account credentials have been last used. If the password_last_used timestamp shows a date recorded in the past 7 days, the root credentials have been used recently to access your AWS cloud account, therefore the root account access policy is not compliant (does not follow IAM security best practices).

06 Repeat steps no. 1 – 5 for each AWS cloud account that you want to examine.

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS cloud account. A credential report is a CSV document that lists all the AWS users (root and IAM users) created within your AWS cloud account and the current status of their access credentials:

aws iam get-credential-report

02 The command output should return the requested document in a TEXT/CSV format, encoded with the Base64 encoding scheme, as shown in the example below:

{
	"Content": "abcdabcdabcdabcdabcdabcdabcdabc",
	"ReportFormat": "text/csv",
	"GeneratedTime": "2021-04-16T15:00:00+00:00"
}

03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named cc-iam-credentials-report.csv:

echo -n abcdabcdabcdabcdabcdabcdabcdabc | base64 –d >> cc-iam-credentials-report.csv

04 Open the cc-iam-credentials-report.csv file in your preferred CSV file editor and check the date/time value (timestamp) available in the password_last_used column for the <root_account> user to determine when the root account credentials have been last used. If the password_last_used timestamp shows a date recorded in the past 7 days, the root credentials have been recently used to access your AWS cloud account, therefore the root account access policy is not compliant.

05 Repeat steps no. 1 – 4 for each AWS cloud account that you want to examine.

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"IAMUser": {
			"Type": "AWS::IAM::User",
			"Properties": {
				"UserName": "cc-ec2-instance-manager",
				"Path": "/",
				"LoginProfile": {
					"Password": "password",
					"PasswordResetRequired": true
				}
			}
		},
		"IAMUserPolicy": {
			"Type": "AWS::IAM::Policy",
			"Properties": {
				"PolicyName": "ec2-instance-access-policy",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Action": "ec2:*",
							"Effect": "Allow",
							"Resource": "*"
						}
					]
				},
				"Users": [
					{
						"Ref": "IAMUser"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	IAMUser:
		Type: AWS::IAM::User
		Properties:
		UserName: cc-ec2-instance-manager
		Path: /
		LoginProfile:
			Password: password
			PasswordResetRequired: true
	IAMUserPolicy:
		Type: AWS::IAM::Policy
		Properties:
		PolicyName: ec2-instance-access-policy
		PolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Action: ec2:*
				Effect: Allow
				Resource: '*'
		Users:
			- !Ref 'IAMUser'

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_user" "iam-user" {
	name                 = "cc-ec2-instance-manager"
	path                 =  "/"
}

resource "aws_iam_user_login_profile" "user-login-profile" {
	user                    = aws_iam_user.iam-user.name
	password                = [password]
	password_reset_required = true
}

resource "aws_iam_policy" "iam-policy" {
	name   = "ec2-instance-access-policy"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Action": "ec2:*",
				"Effect": "Allow",
				"Resource": "*"
			}
		]
	}
	EOF
}

resource "aws_iam_policy_attachment" "iam-user-attachment" {
	name       = "iam-user-attachment"
	users      = [aws_iam_user.iam-user.name]
	policy_arn = aws_iam_policy.iam-policy.arn
}

01 Sign in to the AWS Management Console using the root account credentials.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the Add user button from the console top menu to initiate the IAM user setup.

05 On the Add usersetup page, perform the following actions:

1. Provide a unique name for your new IAM user in the User name box. Choose Add another user if you want to create multiple IAM users at once.
2. For Access type, choose AWS Management Console access to enable the password-based access for the new IAM user. This will allow the user to sign-in to the AWS Management Console.
3. For Console password, choose whether you want to use a custom password or an autogenerated one.
4. (Optional) Select the Require password reset to require creating a new password at the next sign-in.
5. Select the Permissions tab and click the Attach Policy button to define the user access permissions.
6. Choose Next: Permissions to configure the IAM user permissions.
7. For Set permissions, choose Attach existing policies directly to attach a managed policy to the new IAM user, or select Add user to group to add the new user to an existing group (if available). For example, attach an AWS-managed policy named AdministratorAccess to provide the user full access to AWS services and resources.
8. For Set permissions boundary, choose whether to set a permissions boundary to control the maximum permissions that the new IAM user can have.
9. Choose Next: Tags to configure the IAM user tags.
10. Use the Key and Value (optional) text fields to create tags for your new user. Amazon IAM tags are key-value pairs that you can add to your user. Tags can include user information, such as an email address, or can be descriptive, such as a job title. You can use the tags to organize, track, or control access for the new IAM user.
11. Select Next: Review to review the user configuration details, then choose Create user to create your new Amazon IAM user.
12. Select Download .csv to download your new IAM user credentials.
13. Choose Close to return to the Amazon IAM console.

06 To enable Multi-Factor Authentication (MFA) for the newly created IAM user, follow the steps outlined in this conformity rule.

07 In the navigation panel, choose Dashboard and copy the sign-in link listed under Sign-in URL for IAM users in this account to your clipboard.

08 Sign out from your AWS root account, paste the sign-in link copied at the previous step into your browser address bar, and sign in to the AWS Management Console with your new IAM user credentials (user name, password, and MFA passcode).

01 Run create-user command (OSX/Linux/UNIX) to create a new Amazon IAM user necessary for everyday access to your AWS cloud account:

aws iam create-user
  --user-name cc-cloud-admin-user

02 The command output should return the metadata available for the new IAM user:

{
	"User": {
		"Path": "/",
		"UserName": "cc-cloud-admin-user",
		"UserId": "ABCDABCDABCDABCDABCDA",
		"Arn": "arn:aws:iam::123456789012:user/cc-cloud-admin-user",
		"CreateDate": "2021-04-22T15:00:00+00:00"
	}
}

03 To define and attach identity-based policies to your new IAM user based on the policy type that you want to use, perform one of the following sets of commands:

1. To attach managed IAM policies:
   • Run attach-user-policy command (OSX/Linux/UNIX) to attach the specified managed IAM policy to the specified IAM user. For example, attach an AWS-managed IAM policy identified by the ARN arn:aws:iam::aws:policy/AdministratorAccess if you want to provide full access to AWS services and resources via the AWS Management Console (the command does not produce an output):
     aws iam attach-user-policy
       --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
       --user-name cc-cloud-admin-user
     

2. To define and attach inline IAM policies:
   • For example, to define an inline policy that allows access to your AWS services and resources, paste the following policy document to a JSON file named cc-iam-user-inline-policy.json:
     {
     	"Version": "2012-10-17",
     	"Statement": [
     		{
     			"Effect": "Allow",
     			"Action": "*",
     			"Resource": "*"
     		}
     	]
     }
     

   • Run put-user-policy command (OSX/Linux/UNIX) to attach the inline policy defined at the previous step to the specified IAM user (if successful, the command does not produce an output):
     aws iam put-user-policy
       --user-name cc-cloud-admin-user
       --policy-name cc-cloud-full-access
       --policy-document file://cc-iam-user-inline-policy.json
     

04 Run create-login-profilecommand (OSX/Linux/UNIX) to assign a password for your new Amazon IAM user. Replace <iam-user-password> with your own password:

aws iam create-login-profile
  --user-name cc-cloud-admin-user
  --password <iam-user-password>
  --no-password-reset-required

05 The command output should return the Amazon IAM user login profile metadata:

{
	"LoginProfile": {
		"UserName": "cc-cloud-admin-user",
		"CreateDate": "2021-04-22T17:00:00+00:00",
		"PasswordResetRequired": false
	}
}

06 To enable Multi-Factor Authentication (MFA) for the newly created IAM user, follow the steps outlined in this conformity rule.