Introduction
Best practices for securing an AWS environment have been well-documented and generally accepted, such as AWS’s guidance. However, organizations may still find it challenging on how to begin applying this guidance to their specific environments.
- Which controls should be applied out-of-the-box vs. customized?
- What pitfalls exist in implementing the various controls or checks?
- How do you prioritize remediation of the “sea of red” violations?
In this blog series, we’ll analyze anonymized data from Netskope customers that include security settings of 650,000 entities from 1,143 AWS accounts across several hundred organizations. We’ll look at the configuration from the perspective of the best practices, see what’s commonly occurring in the real world and:
- Discuss specific risk areas that should be prioritized
- Identify underlying root causes and potential pitfalls
- Focus on practical guidance for applying the Benchmark to your specific environment
This blog post focuses on the IAM security controls for root account security. Based on the Netskope dataset analyzed, we will highlight three opportunities to improve security by making simple IAM changes:
- Restrict root account access. In these production environments, some root accounts are being used regularly (3%).
- Disable or remove all root account access keys. 4% of root accounts have access keys.
Enforce hardware MFA. 8-9% of root accounts do not have MFA enabled.
Root of it all
Root, Root, go away
Come only with MFA
All the attackers want to play
Root, root, go away
— Nursery rhyme by anonymous AWS Administrator
It is a best practice to avoid using the root account for everyday use, and the prevalence of root account use and associated security issues over time are discussed in detail in The Root of your AWS Insecurities. However, there are several nuanced items worth reemphasizing. When looking at root account best practices in the 1,143 accounts in the dataset, we find:
# | Best Practice | # of Violations | % |
---|---|---|---|
1 | Eliminate use of the root user for administrative and daily tasks | 35 | 3.1 |
2 | Ensure no root user account access key exists | 49 | 4.3 |
3 | Ensure MFA is enabled for the root user account | 111 | 9.7 |
4 | Ensure hardware MFA is enabled for the root user account | 94 | 8.2 |
1. Root Account Use
Background: The root account should not be used for everyday tasks, and should be used only for initial provisioning of an IAM administrator user or only for select tasks that can only be done by the root account.
Data: In this dataset, 35 (3.1%) of the root accounts have been used within the last 7 days prior to the date of analysis.
Analysis: In order to discern whether there are a small number of “repeat-offender” accounts, we performed a longitudinal analysis in The Root of your AWS Insecurities and found that over 4 months, the number of unique accounts using the root account was higher at 15% of the total accounts. This shows that the problem is widespread over a relatively short time period.
The 4.8% usage from this dataset snapshot and the ongoing 15% root account usage is higher than expected and exposes the organization to large adverse impacts in case of compromise.
Controls:
- Detection/Audit
- Root account use can be detected by auditing the IAM credential report:
$ aws iam generate-credential-report
$ aws iam get-credential-report --query 'Content'
--output text | base64 --decode > aws_cred_report.csv
and looking at thepassword_last_used
oraccess_key_N_last_used_date
fields. - AWS GuardDuty will also detect root credential usage
- Those customers with implementations of monitoring using CloudTrail, CloudWatch, or a SIEM can also directly detect events.
As this is the root account (which should not be used for everyday tasks), the number o
- Root account use can be detected by auditing the IAM credential report: