How to Check Use of the Root Account

Generate a Credential Report to Verify Use of the Root Account
Because the root account has access to all AWS services and resources in your AWS account, active use of this user should be avoided. There are many layers of security that should surround the root account so that, unless emergency access is required, actions cannot be taken from this account. In this demo, AWS expert Mike Wise will walk through how to identify the last time that the password for the root account was used. 

  1. From the AWS Management Console, navigate to the IAM Dashboard.
  2. To generate the appropriate report, go to the Credential Report section and click Download Report.
  3. Open the CSV file and identify the password_last_used date for <root account>. When was the last time this account was used? If it’s used for daily or frequent actions, this is cause for concern. 

For a visual guide on how to generate a credentials report and check the use of the root account within that report, watch the full demo.   

Transcription
So, what you’re going to want to do is log in to the AWS Management Console with the user that has permission privileges to see IAM policies and to generate a credentials report. We’re going to first log in to the AWS Management Console. Then, we’re going to search for “IAM.” This will take us to the Identity and Access Management screen. From here, we’re going to generate what’s called a credentials report. We’re going to go down here, click on “Credentials Report,” then click “Download.” Once we’ve downloaded a credentials report, which is done in a CSV file, this is what we’ll see. The credentials report has a lot of great information about what’s going on with your IAM users and their settings. From this report, we can look at a couple of different things. We can look at the “user_creation_time” and we can look at the “password_last_used_time.” So, we can see for this demo account that the last time the root account was logged in to was in January 2019. This account is not being frequented for daily use or even just regular administrative actions. This would coincide with avoiding the use of the root account for any access unless it’s emergency access or absolutely required the use of the root account.

Related Videos