AWS govcloud-us documentation change
Summary
Updated terminology from 'root user access keys' to 'root access keys' across the document, adjusted placeholder formats, and updated Security Hub control references to match new terminology.
Security assessment
The changes are primarily terminology updates (removing 'user' from 'root user access keys') and formatting adjustments. There's no evidence of addressing a specific vulnerability or security incident. The security recommendations remain unchanged.
Diff
diff --git a/govcloud-us/latest/UserGuide/govcloud-account-root-user.md b/govcloud-us/latest/UserGuide/govcloud-account-root-user.md index b36a0f315..ce51d9a8b 100644 --- a//govcloud-us/latest/UserGuide/govcloud-account-root-user.md +++ b//govcloud-us/latest/UserGuide/govcloud-account-root-user.md @@ -32 +32 @@ In this guide you will find… -We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user access keys and use them to perform only a few account and service management tasks. To view the tasks that require root user access keys, see Tasks in AWS GovCloud (US) Regions that require root user access keys +We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user access keys and use them to perform only a few account and service management tasks. To view the tasks that require root user access keys, see Tasks in AWS GovCloud (US) Regions that require root access keys @@ -63 +63 @@ In this example, the root user has an active root access key in the account beca -For info on removing root user access keys, see Deleting my AWS GovCloud (US) account root user access keys. +For info on removing root user access keys, see Deleting my AWS GovCloud (US) account root access keys. @@ -69 +69 @@ If AWS Security Hub CSPM is enabled on your account, the following Security Hub - * [CIS AWS Foundations Benchmark standard: 1.12 – Ensure no root user access key exists](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.12) + * [CIS AWS Foundations Benchmark standard: 1.12 – Ensure no root access key exists](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.12) @@ -71 +71 @@ If AWS Security Hub CSPM is enabled on your account, the following Security Hub - * [Payment Card Industry Data Security Standard (PCI DSS): [PCI.IAM.1 IAMroot user access key should not exist](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-iam-1)] + * [Payment Card Industry Data Security Standard (PCI DSS): [PCI.IAM.1 IAM root access key should not exist](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-iam-1)] @@ -73 +73 @@ If AWS Security Hub CSPM is enabled on your account, the following Security Hub - * [AWS Foundational Security Best Practices standard: [IAM.4 IAMroot user access key should not exist](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-4)] + * [AWS Foundational Security Best Practices standard: [IAM.4 IAM root access key should not exist](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-4)] @@ -80 +80 @@ For more information on AWS Security Hub CSPM, see the [AWS Security Hub CSPM Us -To remediate these findings, see Deleting my AWS GovCloud (US) account root user access keys. +To remediate these findings, see Deleting my AWS GovCloud (US) account root access keys. @@ -102 +102 @@ The AWS GovCloud (US) account root user access keys provides unrestricted access -If your AWS GovCloud (US) account is in an AWS GovCloud (US) Organization and has a service control policy (SCP) applied to the AWS GovCloud (US) account that [disallows actions as the root user](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#disallow-root-auser-actions) or [prevents the creation of root access keys](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#disallow-root-access-keys), your AWS GovCloud (US) [Organization management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) will need to adjust the SCP before you can request AWS GovCloud (US) account root access keys. Specifically they will need to allow the following actions from the root user: +If your AWS GovCloud (US) account is in an AWS GovCloud (US) Organization and has a service control policy (SCP) applied to the AWS GovCloud (US) account that [disallows actions as the root](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#disallow-root-auser-actions) or [prevents the creation of root access keys](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#disallow-root-access-keys), your AWS GovCloud (US) [Organization management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) will need to adjust the SCP before you can request AWS GovCloud (US) account root access keys. Specifically they will need to allow the following actions from the root user: @@ -121 +121 @@ This is useful in the situation where a member account may have forgot or lost t -When a member account needs to perform administrative task as the root user after retrieving their new AWS GovCloud (US) account root access keys from Support, they may be blocked from completing the task. Move the member account to another OU with a less restrictive SCP applied or remove the policy completely to enable them to complete [Tasks in AWS GovCloud (US) Regions that require root user access keys](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-account-root-user.html). +When a member account needs to perform administrative task as the root user after retrieving their new AWS GovCloud (US) account root access keys from Support, they may be blocked from completing the task. Move the member account to another OU with a less restrictive SCP applied or remove the policy completely to enable them to complete [Tasks in AWS GovCloud (US) Regions that require root access keys](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-account-root-user.html). @@ -175 +175 @@ In this step, you create a support case to the Accounts and Billing support team - 1. [Sign in to your standard AWS account](https://console.aws.amazon.com/) associated with your AWS GovCloud (US) account as the root user. To learn about signing in as the root user, see [Sign in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the _AWS Sign-In User Guide_. + 1. [Sign in to your standard AWS account](https://console.aws.amazon.com/) associated with your AWS GovCloud (US) account as the root user. To learn about signing in as the root user, see [Sign in as the root](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the _AWS Sign-In User Guide_. @@ -195 +195 @@ If you are having issues signing in to your standard AWS account as the root use - Asymmetric {kms-key} ARN: [Asymmetric {kms-key} ARN from Step 1] + Asymmetric [shared]``kms-key`` ARN: [Asymmetric {shared}kms-key ARN from Step 1] @@ -199,2 +199,2 @@ If you are having issues signing in to your standard AWS account as the root use - Addendum to the {aws} Customer Agreement (the "{govcloud-us} Addendum") - that apply to and governs the use of the {aws-services} in the {govcloud-us} + Addendum to the [shared]``AWS`` Customer Agreement (the "{govcloud-us} Addendum") + that apply to and governs the use of the [shared]``AWS-services`` in the {govcloud-us} @@ -205 +205 @@ If you are having issues signing in to your standard AWS account as the root use - to sanctions); and have full authority to request {aws} release to me + to sanctions); and have full authority to request [shared]``AWS`` release to me @@ -256 +256 @@ In this step, you will retrieve your new AWS GovCloud (US) account root user acc - 1. [Sign in to your standard AWS account](https://console.aws.amazon.com/) associated with your AWS GovCloud (US) account as the root user. To learn about signing in as the root user, see [Sign in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the _AWS Sign-In User Guide_. + 1. [Sign in to your standard AWS account](https://console.aws.amazon.com/) associated with your AWS GovCloud (US) account as the root user. To learn about signing in as the root user, see [Sign in as the root](https://docs.aws.amazon.com/signin/latest/userguide/introduction-to-root-user-sign-in-tutorial.html) in the _AWS Sign-In User Guide_. @@ -328 +328 @@ See the Troubleshooting section below should you experience any errors running t - 10. Save your AWS GovCloud (US) account root user access keys in a safe location. To learn more, see Securing my AWS GovCloud (US) account root user access keys in this guide. + 10. Save your AWS GovCloud (US) account root user access keys in a safe location. To learn more, see Securing my AWS GovCloud (US) account root access keys in this guide. @@ -330 +330 @@ See the Troubleshooting section below should you experience any errors running t - 11. Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell) to complete Tasks in AWS GovCloud (US) Regions that require root user access keys. + 11. Configure AWS GovCloud (US) account root access keys in the AWS CLI (CloudShell) to complete Tasks in AWS GovCloud (US) Regions that require root access keys. @@ -383 +383 @@ If you are signed in as the root user of the standard AWS account associated wit -Before completing Tasks in AWS GovCloud (US) Regions that require root user access keys, you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. If you do not have AWS GovCloud (US) account root user access keys, see Requesting root access keys for an AWS GovCloud (US) account. +Before completing Tasks in AWS GovCloud (US) Regions that require root access keys, you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. If you do not have AWS GovCloud (US) account root user access keys, see Requesting root access keys for an AWS GovCloud (US) account. @@ -395,2 +395,2 @@ The following example creates a profile named `govcloudroot` using sample values - {aws} Access Key ID [None]: <AKIAI44QH8DHBEXAMPLE> - {aws} Secret Access Key [None]: <je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY> + [shared]``AWS`` Access Key ID [None]: <AKIAI44QH8DHBEXAMPLE> + [shared]``AWS`` Secret Access Key [None]: <je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY> @@ -420 +420 @@ The credentials used by the AWS CLI are stored in plaintext files and are **not* -Once you have completed Tasks in AWS GovCloud (US) Regions that require root user access keys, [delete your AWS GovCloud (US) account root user access keys](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-account-root-user#delete-govcloud-root-access-key). +Once you have completed Tasks in AWS GovCloud (US) Regions that require root access keys, [delete your AWS GovCloud (US) account root access keys](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-account-root-user#delete-govcloud-root-access-key). @@ -441 +441 @@ If you would like to retain your AWS GovCloud (US) account root user access keys -We recommend that you use an IAM user with appropriate permissions to [perform tasks and access AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials). However, you can perform the tasks listed below only when you use the AWS GovCloud (US) account root user access keys. Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell) before starting these tasks. +We recommend that you use an IAM user with appropriate permissions to [perform tasks and access AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials). However, you can perform the tasks listed below only when you use the AWS GovCloud (US) account root user access keys. Configure AWS GovCloud (US) account root access keys in the AWS CLI (CloudShell) before starting these tasks. @@ -449 +449 @@ We recommend that you use an IAM user with appropriate permissions to [perform t - * Remediation of AWS Security Hub CSPM findings + * Remediation of AWS Security Hub findings @@ -451 +451 @@ We recommend that you use an IAM user with appropriate permissions to [perform t - * Rotate my AWS GovCloud (US) account root user access keys + * Rotate my AWS GovCloud (US) account root access keys @@ -453 +453 @@ We recommend that you use an IAM user with appropriate permissions to [perform t - * Deleting my AWS GovCloud (US) account root user access keys + * Deleting my AWS GovCloud (US) account root access keys @@ -455 +455 @@ We recommend that you use an IAM user with appropriate permissions to [perform t - * Securing my AWS GovCloud (US) account root user access keys + * Securing my AWS GovCloud (US) account root access keys @@ -457 +457 @@ We recommend that you use an IAM user with appropriate permissions to [perform t - * Transferring the root user owner + * Transferring the root owner @@ -472 +472 @@ To learn how to sign in to the AWS GovCloud (US) console as an IAM user, see [Si -Before completing Tasks in AWS GovCloud (US) Regions that require root user access keys, you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. To learn how, see Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell). +Before completing Tasks in AWS GovCloud (US) Regions that require root access keys, you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. To learn how, see Configure AWS GovCloud (US) account root access keys in the AWS CLI (CloudShell). @@ -548 +548 @@ During development or implementation of a new Amazon S3 bucket policy, you may a -Before completing Tasks in AWS GovCloud (US) Regions that require root user access keys, you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. To learn how, see Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell). +Before completing Tasks in AWS GovCloud (US) Regions that require root access keys, you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. To learn how, see Configure AWS GovCloud (US) account root access keys in the AWS CLI (CloudShell). @@ -572 +572 @@ To learn how to work with files on your operating system in the AWS CLI, see [Lo -The following AWS Security Hub CSPM findings can be remediated by deleting all root access keys in the AWS GovCloud (US) account. To learn how, see Deleting my AWS GovCloud (US) account root user access keys. +The following AWS Security Hub CSPM findings can be remediated by deleting all root access keys in the AWS GovCloud (US) account. To learn how, see Deleting my AWS GovCloud (US) account root access keys. @@ -574 +574 @@ The following AWS Security Hub CSPM findings can be remediated by deleting all r - * [CIS AWS Foundations Benchmark standard: 1.12 – Ensure no root user access key exists](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.12) + * [CIS AWS Foundations Benchmark standard: 1.12 – Ensure no root access key exists](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.12) @@ -589 +589 @@ It is recommended to not have AWS GovCloud (US) root access keys in your account -Before completing Tasks in AWS GovCloud (US) Regions that require root user access keys, you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. To learn how, see Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell). +Before completing Tasks in AWS GovCloud (US) Regions that require root access keys, you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. To learn how, see Configure AWS GovCloud (US) account root access keys in the AWS CLI (CloudShell). @@ -602,2 +602,2 @@ At this point, the AWS GovCloud (US) root user has two active access keys. - {aws} Access Key ID [None]: AKIAI44QH8DHBEXAMPLE - {aws} Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY + [shared]``AWS`` Access Key ID [None]: AKIAI44QH8DHBEXAMPLE + [shared]``AWS`` Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY @@ -634 +634 @@ It is recommended to not have AWS GovCloud (US)) root access keys in your accoun -Before completing Tasks in AWS GovCloud (US) Regions that require root user access keys, you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. To learn how, see Configure AWS GovCloud (US) account root user access keys in the AWS CLI (AWS CloudShell). +Before completing Tasks in AWS GovCloud (US) Regions that require root access keys, you will need to configure the AWS CLI with your AWS GovCloud (US) account root user access keys. To learn how, see Configure AWS GovCloud (US) account root access keys in the AWS CLI (CloudShell). @@ -661 +661 @@ You can verify the unused access key was deleted by running the `list-access-key -Safeguard your AWS GovCloud (US) account root user access keys the same way you would protect other sensitive personal information. We don’t recommend generating access keys for your root user, because they allow full access to all your resources for all AWS services. The root user in AWS GovCloud (US) does not support MFA. Don’t use your root user for everyday tasks. Use the root user to complete the tasks that only the root user can perform. For the complete list of these tasks, see Tasks in AWS GovCloud (US) Regions that require root user access keys in this guide. Listed here are best practices to secure your AWS GovCloud (US) account root access keys. +Safeguard your AWS GovCloud (US) account root user access keys the same way you would protect other sensitive personal information. We don’t recommend generating access keys for your root user, because they allow full access to all your resources for all AWS services. The root user in AWS GovCloud (US) does not support MFA. Don’t use your root user for everyday tasks. Use the root user to complete the tasks that only the root user can perform. For the complete list of these tasks, see Tasks in AWS GovCloud (US) Regions that require root access keys in this guide. Listed here are best practices to secure your AWS GovCloud (US) account root access keys. @@ -667 +667 @@ Safeguard your AWS GovCloud (US) account root user access keys the same way you - * If you must keep one available, rotate (change) the access key regularly. To rotate your AWS GovCloud (US) account root user access keys, see Rotate my AWS GovCloud (US) account root user access keys. + * If you must keep one available, rotate (change) the access key regularly. To rotate your AWS GovCloud (US) account root user access keys, see Rotate my AWS GovCloud (US) account root access keys. @@ -674 +674 @@ Safeguard your AWS GovCloud (US) account root user access keys the same way you -The [associated standard AWS accountroot user](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html) is the AWS GovCloud (US) account owner. To transfer ownership of your AWS GovCloud (US) account, you will transfer ownership of the related standard AWS account root user, see [How do I transfer my AWS account to another person or business?](https://aws.amazon.com/premiumsupport/knowledge-center/transfer-aws-account/) +The [associated standard AWS account root](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html) is the AWS GovCloud (US) account owner. To transfer ownership of your AWS GovCloud (US) account, you will transfer ownership of the related standard AWS account root user, see [How do I transfer my AWS account to another person or business?](https://aws.amazon.com/premiumsupport/knowledge-center/transfer-aws-account/)