Ensure the root account does not have any active access keys
Why this matters
The AWS root user holds unrestricted permissions across your account. Unlike IAM roles or users, the root user cannot be limited by policies. If access keys are assigned to the root user, they can be used for programmatic access, bypassing the visibility of the console and posing a major security risk.
Best practice is to remove all root-level access keys entirely. Programmatic access should be handled exclusively through IAM roles and users with scoped permissions.
Removing root access keys significantly reduces the attack surface of your AWS environment and enforces modern security standards.
What this check does
This check validates whether the root user has any active programmatic access keys.
It passes if:
Both access_key_1_active
and access_key_2_active
for the root user are set to FALSE
It fails if:
One or both keys are active
How to fix it
⚠️ You must be signed in as the root user to manage these keys.
From the AWS Console
Sign in as the root user at https://console.aws.amazon.com
Click your account name in the top-right corner
Select My Security Credentials
On the security page, expand the Access Keys section
If any key is Active, click Delete
⚠️ Deleted keys cannot be recovered
Confirm deletion
Avoid just deactivating the keys. Even inactive keys still appear in credential reports and may cause compliance issues in automated checks.
From the Credential Report
You can generate a credential report and verify that the following fields for the root user are both set to FALSE
:
access_key_1_active
access_key_2_active
To generate the report:
aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d
Exceptions
There are no legitimate exceptions for root access keys in modern AWS security architecture. All programmatic access should be handled through IAM roles or users with least privilege applied.