Root Account Has Active Access Keys

  • Query id: 970d224d-b42a-416b-81f9-8f4dfe70c4bc
  • Query name: Root Account Has Active Access Keys
  • Platform: Terraform
  • Severity: High
  • Category: Insecure Configurations
  • CWE: 710
  • URL: Github

Description

The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
#this is a problematic code where the query should report a result(s)
resource "aws_iam_access_key" "positive1" {
  user    = "root"
  pgp_key = "keybase:some_person_that_exists"
}

resource "aws_iam_user" "positive3" {
  name = "loadbalancer"
  path = "/system/"
}

resource "aws_iam_user_policy" "positive4" {
  name = "test"
  user = aws_iam_user.lb.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

output "secret" {
  value = aws_iam_access_key.lb.encrypted_secret
}
Positive test num. 2 - tf file
resource "aws_iam_access_key" "positive2" {
  user    = "root"
  pgp_key = "keybase:some_person_that_exists"
  status = "Active"
}

resource "aws_iam_user" "lb" {
  name = "loadbalancer"
  path = "/system/"
}

resource "aws_iam_user_policy" "positive5" {
  name = "test"
  user = aws_iam_user.lb.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

output "secret" {
  value = aws_iam_access_key.lb.encrypted_secret
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
#this code is a correct code for which the query should not find any result
resource "aws_iam_access_key" "negative1" {
  user    = aws_iam_user.lb.name
  pgp_key = "keybase:some_person_that_exists"
}

resource "aws_iam_user" "negative2" {
  name = "loadbalancer"
  path = "/system/"
}

resource "aws_iam_user_policy" "negative3" {
  name = "test"
  user = aws_iam_user.lb.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

output "secret" {
  value = aws_iam_access_key.lb.encrypted_secret
}