Introduction
The AWS root account can do anything in your account, and it follows that it should be protected with tight security controls:
- Do not use the root account
- Do not create API/access keys in the root account
- Enable MFA on the root account
However, while analyzing root account configuration and use in 915 accounts from 153 production environments over four months, we found that:
- Root account use is widespread. Root account use is common and widespread, occurring in 143 (16%) accounts and in 65 (43%) organizations.
- Root account use occurs repeatedly. 50% of accounts were repeat offenders who accounted for over 86% of the total 517 uses.
- Large environments are exposed: Over 29% of the accounts are medium-sized with 50 to 250 total assets, and 15% are large with over 250 assets.
- Root API keys exist in 54 (6%) accounts.
- Root API keys are used for 13% of all root access.
- Root API keys are not rotated with 96% having keys older than 90 days.
- There is nearly a 2 out of 3 chance that a root access is not protected by MFA.
We will now look at the data in more detail to understand more of the nuances and learnings, including the tradeoffs and the presumed “why’s” behind the problems. We’ll then cover what concrete steps can be taken to reduce the probability and impact of root account compromise.
Root Account Usage
We started with the goal of assessing how much or how often the root account was used in real-world production environments. An average of 915 root accounts were analyzed over a four-month period from September 13, 2020, to January 24, 2021. Credential report data was analyzed using LastLoginTime for the root account. To minimize the skew from newly provisioned accounts (where we would expect the root account to be used for initial configuration), we ignored any root accounts that were created within the past 30 days of the date of audit.
The number of accounts that used the root account at least once in the week preceding the time of audit is shown in the following table:
Some key observations:
Root accounts are being used regularly: On a weekly basis, an average of 26 accounts (2.8% of the total 915 accounts) from an average of 20 organizations (13% of the total 153 organizations) used the root account at least once during that week. Since we expect this to be zero, this should be concerning:
Widespread use: It is not all the same 26 accounts or 20 organizations that repeat this behavior week-to-week. Over the four-month period, 143 accounts (~17% of 915 accounts) and 65 organizations (43% of 153 orgs) accessed the root account at least 517 times. 517 is a high enough number (when it should be zero), that it warrants serious attention. We also had broad participation within organizations (43% or almost 1 out of 2) as well as accounts (16% or 1 out of 6 accounts):
Repeated Use: The 510 total uses occurred in 143 accounts in 65 organizations, so on average each offending account used root over three times. Although there is widespread account participation, there is still some concentration of use. The top 17 (12%) accounts contributed half of the root account usage: