Ensure no root account access key exists

1.12 Identity and Access Management (AWS CIS Benchmark).


The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account.

It is recommended that all access keys associated with the root account be removed.

Remove access keys associated with the root account via the AWS Management Console

Step 1. Log in to the AWS Management Console as Root and open the IAM console at https://console.aws.amazon.com/iam/.

Step 2. Click on <RootAccount_Name> at the top right and select _Security Credentials from the drop-down list.

Step 3. On the pop-out screen, click on Continue to Security Credentials.

Step 4. Click on Access Keys (Access Key ID and Secret Access Key).

Step 5. Under the "Status" column, if there are any Keys that are Active:

  • Click on Make Inactive (i.e., temporarily disable Key if you think you may need it again).
  • Click Delete (i.e., delete the key for good. Deleted keys cannot be recovered ).