Deny Root User Usage
Overview
This AWS Service Control Policy (SCP) is designed to deny all usage of the root user across AWS accounts within the Root Organizational Unit (OU). This policy ensures that account owners and administrators do not use the root user, mitigating the risk of unauthorized access if the root user's credentials are compromised. It serves as a compensating control for accounts created via AWS Organizations that do not have MFA enabled for the root user.
JSON Policy
Deny All Root Usage
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyRootUsage",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": ["arn:*:iam::*:root"]
}
}
}
]
}
Deny Root Usage Except from a Specific IP Address
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyRootUsage",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": ["arn:*:iam::*:root"]
},
"NotIpAddress": {
"aws:SourceIp": "1.2.3.4"
}
}
}
]
}
Explanation
Statements
-
Deny All Root Usage
- Sid: "DenyRootUsage" - A unique identifier for this specific statement within the policy.
- Effect: "Deny" - This policy denies all actions.
- Action:
"*"- Denies all actions. - Resource:
"*"- Applies to all resources. - Condition:
StringLike: Ensures the policy applies if theaws:PrincipalArnmatches"arn:*:iam::*:root", which represents the root user.
-
Deny Root Usage Except from a Specific IP Address
- Sid: "DenyRootUsage" - A unique identifier for this specific statement within the policy.
- Effect: "Deny" - This policy denies all actions.
- Action:
"*"- Denies all actions. - Resource:
"*"- Applies to all resources. - Condition:
StringLike: Ensures the policy applies if theaws:PrincipalArnmatches"arn:*:iam::*:root", which represents the root user.NotIpAddress: Ensures the policy applies unless the request originates from the specified IP address ("1.2.3.4").
When to Use This Policy
- Prevent Root Usage: Use this policy to ensure that the root user is not used for day-to-day operations, enhancing the security of your AWS accounts.
- Mitigate Compromise Risk: Helps prevent threat actors from using the root user if the root email is compromised.
Benefits
- Enhanced Security: Reduces the risk of unauthorized actions by the root user.
- Encourages Best Practices: Encourages the use of IAM users and roles with appropriate permissions instead of the root user.
- Compensating Control: Acts as a compensating control for accounts without MFA enabled on the root user.
Potential Drawbacks
- Restricted Access: Legitimate use of the root user for emergency access will be denied unless exceptions are properly managed.
- Management Overhead: Requires careful management and documentation of exceptions (e.g., specific IP addresses for emergency access).
Summary
This SCP is essential for enhancing the security of AWS accounts by denying the usage of the root user. By applying this policy to the Root OU, you ensure that the root user is not used for regular operations, thereby mitigating the risk of unauthorized access and potential security breaches. Regularly review and update the policy to ensure it aligns with your organizational requirements and security practices.
Sources
- PrimeHarbor primeharbor