Ensure the root account does not have any active access keys

Framework Reference: A.8.5 (Secure Authentication) Integration: AWS – IAM

Why this matters

The AWS root user holds unrestricted permissions across your account. Unlike IAM roles or users, the root user cannot be limited by policies. If access keys are assigned to the root user, they can be used for programmatic access, bypassing the visibility of the console and posing a major security risk.

Best practice is to remove all root-level access keys entirely. Programmatic access should be handled exclusively through IAM roles and users with scoped permissions.

Removing root access keys significantly reduces the attack surface of your AWS environment and enforces modern security standards.


What this check does

This check validates whether the root user has any active programmatic access keys.

It passes if:

Both access_key_1_active and access_key_2_active for the root user are set to FALSE

It fails if:

One or both keys are active


How to fix it

⚠️ You must be signed in as the root user to manage these keys.

From the AWS Console

Sign in as the root user at https://console.aws.amazon.com

Click your account name in the top-right corner

Select My Security Credentials

On the security page, expand the Access Keys section

If any key is Active, click Delete

⚠️ Deleted keys cannot be recovered

Confirm deletion

Avoid just deactivating the keys. Even inactive keys still appear in credential reports and may cause compliance issues in automated checks.


From the Credential Report

You can generate a credential report and verify that the following fields for the root user are both set to FALSE:

access_key_1_active

access_key_2_active

To generate the report:

aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d


Exceptions

There are no legitimate exceptions for root access keys in modern AWS security architecture. All programmatic access should be handled through IAM roles or users with least privilege applied.


Further Resources

AWS Best Practices for Managing Access Keys

How to Manage Access Keys

Blog: Identifying Access Keys in Your AWS Account

Was this article helpful?