AWS IAM root user activity is assessed by inspecting last-used timestamps for the root password and access keys. The finding indicates when the root identity has been used recently for console or programmatic access.
Risk
Recent root usage expands blast radius:
- Data exfiltration (confidentiality)
- Policy/key tampering (integrity)
- Resource deletion and billing changes (availability) Routine use reduces anomaly visibility and eases account takeover impact.
Run this check with Prowler CLI
prowler aws --checks iam_avoid_root_usage
Recommendation
Minimize root usage by applying least privilege with admin roles or federated SSO and temporary credentials.
- Enforce MFA on root
- Avoid or remove root access keys
- Require multi-person approval
- Monitor and alert on any root sign-in
- Use org guardrails for defense in depth
Remediation
Other
- Sign in to the AWS Management Console as the root user
- In the top-right, click your account name > Security credentials
- Under Access keys for the root user, delete all existing keys
- Sign out of the root user and do not use it again
- Wait 24 hours (until the root user has not been accessed for a full day) for the check to pass
Source Code
Resource Type
AwsIamUser