2

As I was auditing an org's AWS IAM, I did:

aws iam generate-credential-report

# a bit later, download the CSV
aws iam get-credential-report

During viewing the report, one thing struck me as highly unusual: the column password_last_used for <root_account> is not empty value:

aws iam credential report fragment

How is this even possible?

IAM root accounts are supposed to be passwordless; even in this report, password_enabled shows not_supported.

What're the implications of this datum? Could this be an indication of breach?

Is this some kind of known AWS glitch? Whom should I email to clear this up?

ulidtko
  • 438
  • 4
  • 13
  • Posting on ServerFault as advised [here](https://meta.stackexchange.com/questions/141942/best-stack-exchange-site-for-asking-about-amazon-aws). – ulidtko Feb 27 '20 at 15:10

1 Answers1

4

I think what you are seeing is normal.

Root accounts are NOT passwordless. You definitely need a password to log in as root. The root account is the email address you used when you created the account. It does not show up in IAM, i.e. you won't see an account listed as root.

Regarding password_enabled showing not_supported this is also normal.

When the user has a password, this value is TRUE. Otherwise it is FALSE.The value for the AWS account root user is always not_supported.

The reason it's not_supported is because the root account must have password for console login.

The password_last_used datum, is showing the root account was used yesterday. If you or someone on your team did not log in with the root account yesterday then you have the potential for a breach. I would strongly suggest:

1) Using MFA with the root account 2) Set up a CloudTrail log filter to alert when the root key is used.

Use a filter similar to:

"filterPattern": "{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }"

References

Credentials Report
Root User

kenlukas
  • 3,101
  • 2
  • 16
  • 26