AWS Security Blog

An Easier Way to Determine the Presence of AWS Account Access Keys

Last month, the AWS Security Blog encouraged you to adhere to AWS Identity and Access Management (IAM) best practices. One of these best practices is to lock away your AWS account (root) access keys and password, and not use them for day-to-day interaction with AWS. In fact, when it comes to your root account access keys, we recommend that you delete them. How, though, do you determine if your root account even has access keys?

In the past, the easiest way to determine if your root account had access keys was to sign in to the AWS Management Console using your root account password, which is something we recommend against doing regularly. Instead, you should enable multi-factor authentication (MFA) on your root account, and then you should only sign in with your root account when absolutely necessary. Furthermore, if you wanted to determine programmatically whether your root account had an access key, the only way to do it was to use the root account access key, which is an obvious dilemma. Now, though, it’s possible by using the AWS Command Line Interface (CLI) or the AWS SDKs to use the credentials of an IAM user to determine whether your root account has access keys. For the rest of this post, I’ll show you how you can use the AWS CLI to check if your root account has access keys. 

Determine the existence of root account access keys by using an IAM user’s credentials

First, you’ll need to install and configure the AWS CLI. If you haven’t done this already, follow the instructions in Installing the AWS Command Line Interface and Configuring the AWS Command Line Interface. When you configure the AWS CLI, make sure that you configure it with the credentials of an IAM user in your AWS account that has permission to perform the iam:GetAccountSummary action.

Next, you’ll use the iam get-account-summary command to retrieve IAM usage information for your AWS account. The command looks like this:

aws iam get-account-summary

This command will query your AWS account for IAM-related information, and then will produce a JSON document that looks similar to the following example:

  "SummaryMap": {
    "UsersQuota": 5000,
    "GroupsQuota": 100,
    "InstanceProfiles": 2,
    "SigningCertificatesPerUserQuota": 2,
    "AccountAccessKeysPresent": 0,
    "RolesQuota": 250,
    "RolePolicySizeQuota": 10240,
    "AccountSigningCertificatesPresent": 0,
    "Users": 24,
    "ServerCertificatesQuota": 20,
    "ServerCertificates": 0,
    "AssumeRolePolicySizeQuota": 2048,
    "Groups": 8,
    "MFADevicesInUse": 4,
    "Roles": 19,
    "AccountMFAEnabled": 1,
    "MFADevices": 4,
    "GroupsPerUserQuota": 10,
    "GroupPolicySizeQuota": 5120,
    "InstanceProfilesQuota": 100,
    "AccessKeysPerUserQuota": 2,
    "Providers": 0,
    "UserPolicySizeQuota": 2048

The JSON document contains a series of key-value pairs that describe IAM quotas and usage information for your AWS account. We recently added two new keys to this series: AccountAccessKeysPresent and AccountSigningCertificatesPresent. As you can see in the example JSON document, the value associated with these keys is  0 , which means there are no access keys or signing certificates for the root account. If the root account has ac cess keys or signing certificates present, the value for the corresponding key would be 1, which indicates the presence of a root account access key eve n when that access key is not active. The new AccountAccessKeysPresent key makes it possible to programmatically determine whether your root account has an access key.

Take advantage of this new capability today, and use it to determine if your root account has access keys. If you find that your root account does have access keys, remove them from any applications that are using them, and then delete them.

If you have any questions about this post or about our best practices for using access keys, please post them on the IAM Forum.

– Josh