| Plugin Title | Root Account In Use |
| Cloud | AWS |
| Category | IAM |
| Description | Ensures the root account is not being actively used |
| More Info | The root account should not be used for day-to-day account management. IAM users, roles, and groups should be used instead. |
| AWS Link | http://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html |
| Recommended Action | Create IAM users with appropriate group-level permissions for account access. Create an MFA token for the root account, and store its password and token generation QR codes in a secure place. |
- Log into the AWS Management Console.
- Select the "Services" option and search for IAM.
- Scroll down the left navigation panel and choose "Credential report". Click on the "Download Report" button to download a report that lists all your account's users and the status of their various credentials.
- Open the downloaded credentials report and check the "password_last_used_date" column for the root account. If the timestamp value is recorded within the last 7 days the above credentials have been used to access the AWS account.
- Repeat steps number 2 - 4 for other AWS account.
- Scroll down the left navigation panel and choose "Users".
- Click on the "Add User" button to add new user.
- On the "Add User" page provide the "User name" for new IAM user. Under the "Select AWS access Type" select both/either "Programmatic access" and "AWS Management Console access" and choose whether to use an "Autogenerated password" or "Custom Password".
- Scroll down the "Add User" page and click on the "Require password reset" so that new IAM user can reset the password at next sign-in.
- Click on the "Next: Permissions" button to continue the new IAM user configuration.
- On the "Set Permissions" page select the "Administrator Access" policies group to provide the full "AWS Management Console" access to the new IAM user. If such a group doesn't exist click on the "Create Group" button to create a new group with "AdministratorAccess" policies.
- Click on the "Next: Tags" button to continue the new IAM user configuration.
- Provide the "Key" and "Value" in the "Add tags (optional)" page. Tags can be used to organize, track, or control access for the user. Click on the "Next: Review" button to verify the new IAM user configuration details.
- On the "Review" page click on the "Create user" button to create the new user.
- To assign MFA to new IAM user click on the "User name" column under the "Users" page.
- Click on the "Security Credentials" tab at the menu and check the option for "Assigned MFA device".
- Click on the "Manage" option to assign the "MFA device" of the choice. Click on the "Virtual MFA device" and click on "Continue".
- Now install the AWS MFA compatible application on mobile device or computer. Once the application is installed click on the "Show QR code" and scan the code with pre-installed application.
- Enter two consecutive MFA codes generated from application in "MFA code 1" and "MFA code 2" and click on the "Assign MFA" button.
- On successful setup will get the following message "You have successfully assigned virtual MFA".
