Root Account Has Active Access Keys
- Query id: 970d224d-b42a-416b-81f9-8f4dfe70c4bc
- Query name: Root Account Has Active Access Keys
- Platform: Terraform
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
#this is a problematic code where the query should report a result(s)
resource "aws_iam_access_key" "positive1" {
user = "root"
pgp_key = "keybase:some_person_that_exists"
}
resource "aws_iam_user" "positive3" {
name = "loadbalancer"
path = "/system/"
}
resource "aws_iam_user_policy" "positive4" {
name = "test"
user = aws_iam_user.lb.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
output "secret" {
value = aws_iam_access_key.lb.encrypted_secret
}
Positive test num. 2 - tf file
resource "aws_iam_access_key" "positive2" {
user = "root"
pgp_key = "keybase:some_person_that_exists"
status = "Active"
}
resource "aws_iam_user" "lb" {
name = "loadbalancer"
path = "/system/"
}
resource "aws_iam_user_policy" "positive5" {
name = "test"
user = aws_iam_user.lb.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
output "secret" {
value = aws_iam_access_key.lb.encrypted_secret
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
#this code is a correct code for which the query should not find any result
resource "aws_iam_access_key" "negative1" {
user = aws_iam_user.lb.name
pgp_key = "keybase:some_person_that_exists"
}
resource "aws_iam_user" "negative2" {
name = "loadbalancer"
path = "/system/"
}
resource "aws_iam_user_policy" "negative3" {
name = "test"
user = aws_iam_user.lb.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
output "secret" {
value = aws_iam_access_key.lb.encrypted_secret
}