# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|aws|compliancecow||Ensure No AccessKey With Root Access Exist|

```
Purpose:
Ensure No accesskey is associated with the root user.  This practice enhances security by reducing the attack surface and minimizing the risk of unauthorized access or compromise to critical AWS resources controlled by the root account.
We can use the "AWSCredentialReport"Task for this evidence.Filter the user type is "root" and evaluate if "AccessKey1Active" or "AccessKey2Active".
```

```
RecomendedEvidenceName: NoAccessKeyWithRootAccount
```


# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

In [None]:
# AWS Example
[
      {
        "User": "root_account",
        "ARN": "arn:aws:iam::022654265366:root",
        "UserCreationTime": "2023-03-17T07:04:00+00:00",
        "PasswordEnabled": true,
        "PasswordLastUsed": "2024-03-08T05:47:36+00:00",
        "PasswordLastChanged" : "2023-03-17T07:04:00+00:00",
        "PasswordNextRotation" : "N/A",
        "MFAActive" : false,
        "AccessKey1Active" : true,
        "AccessKey1LastRotated" : "N/A",
        "AccessKey1LastUsed": "2024-03-13T06:47:00+00:00",
        "AccessKey1LastUsedRegion" : "us-west-2",
        "AccessKey1LastUsedService" : "securityhub",
        "AccessKey2Active" : true,
        "AccessKey2LastRotated" : ""
        "Accesskey2LastUsedDate": "",
        "AccessKey2LastUsedRegion" : "",
        "AccessKey2LastUsedService": "",
        "Cert1Active": "",
        "Cert1LastRotated": ""	,
        "Cert2Active": "",
        "Cert2LastRotated" : "",
        "MFADevices" : ""
      }
  ]

# Step 3: Define the Standard Schema
  


In [None]:
{
    # Meta
    "System":"aws",
    "Source":"compliancecow",

    # Resource info
    "ResourceID":"arn:aws:iam::022654265366:root",
    "ResourceName":"root_account",
    "ResourceType":"AwsIamUser",
    "ResourceLocation":"global",
    "ResourceTags": null,
    "ResourceURL": N/A, # not applicable for root user

    # Data
    "AccessKey1Status": "AccessKey1 does not exist",
    "AccessKey2Status": "AccessKey2 does not exist.",

    # Compliance details
    "ValidationStatusCode":"ACS_KY_NT_EXT",
    "ValidationStatusNotes":"No access keys exist for the root account",
    "ComplianceStatus":"COMPLIANT",
		"ComplianceStatusReason":"Record is compliant as the root account does not have any access keys",
		"EvaluatedTime":"2023-12-22T07:03:17.425Z",

    # User editable data
     "UserAction":"",

    # Action editable data
     "ActionStatus":"",
     "ActionResponseURL":""
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceLocation|ResourceTags|ResourceURL|AccessKey1Status|AccessKey2Status|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|
|aws|compliancecow|root_account|root_account|AwsIamUser|global||N/A|AccessKey1 does not exist|AccessKey2 does not exist|ACS_KY_NT_EXT|No access keys exist for the root account|COMPLIANT|Record is compliant as the root account does not have any access keys|2023-12-22T07:02:57.788Z|

# Step 4: Describe the Compliance Taxonomy

|AccessKey1Status|AccessKey2Status|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|
|---|---|---|---|---|---|
|AccessKey1 is active|AccessKey2 is active|ACS_KY_EXT|Access keys exist for the root account|NON_COMPLIANT|Record is compliant as the root account does not have any access keys|
|AccessKey1 is inactive|AccessKey2 is inactive|ACS_KY_NT_EXT|access keys not exist for the root account|COMPLIANT|Record is not compliant as the root account has access keys|
|AccessKey2 is inactive|AccessKey2 is active|ACS_KY_EXT|access keys exist for the root account|NON_COMPLIANT|Record is not compliant as the root account has access keys|




# Step 5: Calculation for Compliance Percentage and Status




In [None]:
# Calculation of Compliance Percentage

TotalRecordCount = Count of 'COMPLIANT' and 'NON_COMPLIANT' records
FailedRecordCount = Count of 'NON_COMPLIANT' records

CompliancePCT = int(100 - ((FailedRecordCount * 100) / TotalRecordCount))

Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0% to less than 100%

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

There is an AccessKey present for the Root account. To enhance security and adhere to best practices, disable the access key associated with the root account. Access keys for the root account pose a significant security risk and should not be used. Instead, use IAM users with limited privileges for day-to-day operations.


Follow AWS documentation for guidance on managing access keys for the root account.

<br>Refer the doc
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_delete-key

# 7. Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               | AWSRootAccountAccessKeyReport |
| **PreRequisiteRuleNames**  | AWSCredentialReport           |
| **ApplicationClassName**   | AWSAppConnector               |