Ensure using AWS Account root user is avoided

Error: AWS Account root user is used

Bridgecrew Policy ID: BC_AWS_IAM_1
Severity: CRITICAL

AWS Account root user is used

Description

The AWS Account Root User is the first identity created with the AWS Account and has the highest level of privileges. The Root User account has unrestricted access to all AWS services and resources and is used for account and service management tasks, to create a new account for administrative, and other tasks.

We recommend you minimize the use of the Root User account by adopting the Principle of Least Privilege for access management. This reduces the risk of accidental changes and unintended disclosure of highly privileged credentials.

Fix - Runtime

Procedure

Replace usage of the AWS root with IAM users with minimal set of permissions necessary to access and manage just the required AWS resources and services. For example, you can add an MFA enabled user that can perform a limited set of privileged activities. Consider also using the IAM Administrator Managed Policy.

Fix - Buildtime

Consider using AirIAM, an open source project that enables creating least privilege IAM manifests that replace existing over-permissive IAM settings.


Did this page help you?