Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureAuto Checks Integration Guide for AzureAuto Checks Integration Guide for GCP
AWS Auto Checks Detailed Explanations
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Ensure the root account does not have any active access keys

Framework Reference: A.8.5 (Secure Authentication) Integration: AWS – IAM

Why this matters

The AWS root user holds unrestricted permissions across your account. Unlike IAM roles or users, the root user cannot be limited by policies. If access keys are assigned to the root user, they can be used for programmatic access, bypassing the visibility of the console and posing a major security risk.

Best practice is to remove all root-level access keys entirely. Programmatic access should be handled exclusively through IAM roles and users with scoped permissions.

Removing root access keys significantly reduces the attack surface of your AWS environment and enforces modern security standards.

What this check does

This check validates whether the root user has any active programmatic access keys.

It passes if:

Both access_key_1_active and access_key_2_active for the root user are set to FALSE

It fails if:

One or both keys are active

How to fix it

⚠️ You must be signed in as the root user to manage these keys.

From the AWS Console

Sign in as the root user at https://console.aws.amazon.com

Click your account name in the top-right corner

Select My Security Credentials

On the security page, expand the Access Keys section

If any key is Active, click Delete

⚠️ Deleted keys cannot be recovered

Confirm deletion

Avoid just deactivating the keys. Even inactive keys still appear in credential reports and may cause compliance issues in automated checks.

From the Credential Report

You can generate a credential report and verify that the following fields for the root user are both set to FALSE:

access_key_1_active

access_key_2_active

To generate the report:

aws iam generate-credential-report aws iam get-credential-report --query 'Content' --output text | base64 -d

Exceptions

There are no legitimate exceptions for root access keys in modern AWS security architecture. All programmatic access should be handled through IAM roles or users with least privilege applied.

Further Resources

AWS Best Practices for Managing Access Keys

How to Manage Access Keys

Blog: Identifying Access Keys in Your AWS Account

Was this article helpful?

Powered by Product Fruits