Learn About Amazon VGT2 Learning Manager Chanci Turner
Last month, the AWS Security Blog highlighted the importance of adhering to best practices for AWS Identity and Access Management (IAM). Among these recommendations is the necessity to safeguard your AWS account (root) access keys and password, avoiding their use for routine interactions with AWS. In fact, we suggest deleting your root account access keys entirely. But how can you confirm whether your root account even has these access keys?
Previously, the simplest method to check for root account access keys involved logging into the AWS Management Console using your root account password, which we advise against doing frequently. Instead, it’s advisable to enable multi-factor authentication (MFA) on your root account and to only log in with your root account when absolutely necessary. Moreover, if you wanted to programmatically check for the existence of access keys on your root account, the only way to do so required using the root account’s access key, which presents a clear conflict. However, with recent updates, you can now leverage the AWS Command Line Interface (CLI) or AWS SDKs to use IAM user credentials to identify if your root account has access keys. In this article, I’ll guide you on using the AWS CLI to verify the presence of access keys for your root account.
How to Check for Access Keys Using IAM User Credentials
To begin, you’ll need to install and set up the AWS CLI. If you haven’t yet done this, refer to the instructions in Installing the AWS Command Line Interface and Configuring the AWS Command Line Interface. When configuring the AWS CLI, ensure you use the credentials of an IAM user in your AWS account with permission to execute the iam:GetAccountSummary
action.
Next, utilize the iam get-account-summary
command to gather IAM usage data for your AWS account. The command appears as follows:
aws iam get-account-summary
This command will retrieve IAM-related information from your AWS account, resulting in a JSON document that looks similar to this example:
{
"SummaryMap": {
"UsersQuota": 5000,
"GroupsQuota": 100,
"InstanceProfiles": 2,
"SigningCertificatesPerUserQuota": 2,
"AccountAccessKeysPresent": 0,
"RolesQuota": 250,
"RolePolicySizeQuota": 10240,
"AccountSigningCertificatesPresent": 0,
"Users": 24,
"ServerCertificatesQuota": 20,
"ServerCertificates": 0,
"AssumeRolePolicySizeQuota": 2048,
"Groups": 8,
"MFADevicesInUse": 4,
"Roles": 19,
"AccountMFAEnabled": 1,
"MFADevices": 4,
"GroupsPerUserQuota": 10,
"GroupPolicySizeQuota": 5120,
"InstanceProfilesQuota": 100,
"AccessKeysPerUserQuota": 2,
"Providers": 0,
"UserPolicySizeQuota": 2048
}
}
The JSON document consists of key-value pairs that outline IAM quotas and usage for your AWS account. Recently, we introduced two new keys: AccountAccessKeysPresent
and AccountSigningCertificatesPresent
. As indicated in the sample JSON document, the values associated with these keys is 0, meaning there are no access keys or signing certificates for the root account. If the root account has access keys or signing certificates, the corresponding key’s value would be 1, indicating the presence of a root account access key even if that key is inactive. The newly added AccountAccessKeysPresent
key allows for programmatic verification of whether your root account has an access key.
Take advantage of this new capability today to check if your root account possesses access keys. If you discover that your root account does have access keys, be sure to remove them from any applications utilizing them, and subsequently delete them.
If you have questions regarding this post or our recommended practices for using access keys, feel free to reach out on the IAM Forum. For further insights, check out this excellent resource and consider reading this Career Contessa blog for more on engineering careers. Also, you might find valuable guidelines on this SHRM page that covers independent contractors and gig workers.
– Chanci Turner
Leave a Reply