Other Articles
- IAM - Enable User MFA
- IAM - Enforce Key Rotation
- IAM - Enforce Active Key Limit
- IAM - Disable Unused User Credentials
- IAM - Enforce Group Permission
- IAM - Enforce Password Length
- IAM - Prohibit Password Reuse
- IAM - Enable Root MFA
- IAM - Establish Support Role
- IAM - Enable Key Rotation
- Purge Expired Certificates
- EC2 Volume – Enable EBS Volume Backup
- EC2 Volume – Enable EBS Encryption
- EFS – Enable EFS Storage Backup
- S3 Bucket – Enable S3 Bucket Versioning
- S3 Bucket – Enable S3 Bucket Encryption
- S3 Bucket – Block S3 Bucket Public Access
- RDS DB Instance – Encryption of Storage
- RDS DB Instance – Enable Deletion Protection
- RDS DB Instance – Enable Auto Minor Version Upgrade
- DynamoDB Table – Enable Table Encryption
- DynamoDB Table – Enable Table Point In Time Recovery
- DynamoDB Table – Enable Table Deletion Protection
- EC2 Instance – Monitor CPU Utilization
- ECS Service – Monitor CPU Utilization
- ECS Service – Monitor Memory Utilization
- RDS DB Instance – Monitor Free Storage Space
- RDS DB Instance – Monitor CPU Utilization
- SQS Queue – Monitor Message Age
- SQS Queue – Monitor Message Visibility
- DynamoDB Table – Monitor Table Read Capacity
- DynamoDB Table – Monitor Table Write Capacity
- DynamoDB Table – Monitor Table Latency
- Enable CloudTrail
- Encrypt CloudTrail Logs
- EC2 VPC – Ensure Flow Logs are Enabled
- RDS DB Instance – Block Public Access
- EC2 Instance – Enable Deletion Protection
- ECS Service – Enable Auto Scaling
- Enable AWS Security Hub
- Enable GuardDuty
IAM - Check Root Access Keys Existence
Secure Configuration Checks > AWS
This check ensures that the AWS root account does not have any active access keys. Root access keys provide unrestricted access to the AWS account and should never be used for day-to-day operations.
Check Details
- Resource: General
- Check: Check root access keys existence
- Risk: Root access keys can be misused to gain full control of the AWS account
Remediation via AWS Console
- Log in to the AWS Management Console using the root account.
-
Open the IAM console by searching for IAM in the AWS Console.
- Click on the <root_account> name at the top-right corner and select My Security Credentials.
- On the warning screen, click Continue to Security Credentials.
- Expand the Access keys (access key ID and secret access key) section.
-
If any access keys are present and marked as Active, click Delete.
Note: Deleted root access keys cannot be recovered.
Updated on 06 March, 2026