AWS-002 Amazon Web Services (AWS)

No access keys exist on the root account.

Domain: Amazon Web Services (AWS)
Area: Account / Root
Automated / manual: Automated

Risk if it fails

Root API keys are long-lived god-mode credentials that bypass most guardrails.

A leaked root key can never be limited by policy and works from anywhere on earth. An attacker with it can do literally anything in the account and there is no role to scope them down.

How Tess tests it

1 test — each concludes only on cited evidence.

No access keys exist on the root account.

Automated

Procedure: List root credential metadata in the credential report and confirm no active access keys.

Read-only command

aws iam get-account-summary --query 'SummaryMap.AccountAccessKeysPresent'
# Expect: 0

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced. AWS-005 MFA is enabled for all IAM users with console access.

Want Tess to test AWS-002 against your evidence?

Book a demo