| Plugin Title | Root Account In Use |
| Cloud | AWS |
| Category | IAM |
| Description | Ensures the root account is not being actively used |
| More Info | The root account should not be used for day-to-day account management. IAM users, roles, and groups should be used instead. |
| AWS Link | http://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html |
| Recommended Action | Create IAM users with appropriate group-level permissions for account access. Create an MFA token for the root account, and store its password and token generation QR codes in a secure place. |
- Log in to the AWS Management Console.
- Select the "Services" option and search for IAM.
- Scroll down the left navigation panel and choose "Credential report". Click on the "Download Report" button to download a report that lists all your account's users and the status of their various credentials.
- Open the downloaded credentials report and check the "password_last_used_date" column for the root account. If the timestamp value is recorded within the last 7 days the above credentials have been used to access the AWS account.
- Repeat step number 2 - 4 for other AWS accounts.
- Scroll down the left navigation panel and choose "Users".
- Click on the "Add User" button to add new user.
- On the "Add User" page provide the "User name" for new IAM user. Under the "Select AWS access type" select both/either "Programmatic access" and "AWS Management Console access" and choose whether to use an "Autogenerated password" or "Custom Password". Also select the option "Require password reset" so that new IAM user can reset the password at next sign-in and click on "Next: Permissions" button.
- On the "Set Permissions" page select the "AdministratorAccess" policies group to provide the full "AWS Management Console" access to the new IAM user. If such a group doesn't exist click on the "Create Group" button to create a new group with "AdministratorAccess" policies.
- Click on the "Next: Tags" button to continue the new IAM user configuration.
- Provide the "Key" and "Value" in the "Add tags (optional)" page. Tags can be used to organize, track, or control access for the user.
- Click on the "Next: Review" button to verify the new IAM user configuration details.
- On the "Review" page click on the "Create user" button to create the new user.
- To assign MFA to new IAM user click on the "User name" column under the "Users" page.
- Click on the "Security Credentials" tab at the menu and check the option for "Assigned MFA device".
- Click on the "Manage" option to assign the "MFA device" of the choice. Click on the "Virtual MFA device" and click on "Continue".
- Now install the AWS MFA compatible application on mobile device or computer. Once the application is installed click on the "Show QR code" and scan the code with pre-installed application.
- Enter two consecutive MFA codes generated from application in "MFA code 1" and "MFA code 2" and click on the "Assign MFA" button.
- On successful setup, following message "You have successfully assigned virtual MFA" will appear.
- These steps ensure that the root account is not being actively used to administer the AWS services.
