Ensure there is an Amazon CloudWatch alarm created and configured in your AWS account to fire each time Root Account is used. This CloudWatch alarm must be triggered every time AWS Root Account is used.
This rule can help you with the following compliance standards:
- The Center of Internet Security AWS Foundations Benchmark
- Payment Card Industry Data Security Standard (PCI DSS)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Security The AWS root account is the account that is created when signing up with Amazon Web Services. We strongly recommend that you do not use the root user for your everyday tasks, or even the administrative ones. Using Amazon CloudWatch alarms to detect AWS Root Account usage will help you monitor AWS (root) account activities that may lead to unauthorised access or other security breaches.
Note 1: For this rule Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule to enable AWS Cloudtrail – CloudWatch integration.
Note 2: You have also the option to implement this conformity rule with AWS CloudFormation. Follow the AWS instructions available here
Audit
To determine if there are any CloudWatch alarms set up to monitor AWS Root Account usage within your AWS account, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.
03 In the left navigation panel select Alarms.
04 Open the dashboard Show/Hide Columns dialog box by clicking the configuration icon:
then select the Metric Name checkbox.
05 In the Metric Name column, verify each alarm available for the RootAccountUsageEventCount metric parameter name. If the RootAccountUsageEventCount metric is not used by any of your existing alarms, the AWS root account usage is not monitored using Amazon CloudWatch.
06 Change the AWS region from the navigation bar and repeat the audit process for other regions.
Remediation / Resolution
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send email notifications whenever the appropriate Amazon CloudWatch alarm is triggered.
01 Sign in to the AWS Management Console.
02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.
03 In the navigation panel, select Topics and click the Create new topic button.
04 In the Create new topic dialog box, enter a name and a display name for your topic then click Create Topic.
05 Open the newly created SNS topic configuration page by clicking on its Amazon Resource Name (ARN):
05 Under Subscription section click Create Subscription.
06 Select Email as subscription protocol from the Protocol dropdown list.
07 In the Endpoint box, enter the email address where you want to receive the CloudWatch alarm notifications then click Create Subscription to create the required subscription.
08 Use your preferred email client application to open the message received from AWS Notifications, then click on the appropriate link to confirm your new subscription.
Step 2: Create the necessary metric filter and the CloudWatch alarm that will fire and send email notifications whenever an AWS Root Account is used
01 Sign in to the AWS Management Console.
02 Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.
03 In the left navigation panel, select Logs.
04 Select the log group created for your CloudTrail trail event logs and click Create Metric Filter button.
05 On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box and type the following patter: { $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }
06 Review the metric filter config details then click Assign Metric.
07 On the Create Metric Filter and Assign a Metric page, perform the following:
- In the Filter Name box, enter a unique name for the new filter, e.g. RootAccountUsage.
- In the Metric Namespace box, type CloudTrailMetrics.
- In the Metric Name box, type RootAccountUsageEventCount for the metric identifier.
- Click Show advanced metric settings to slide down the advanced settings section.
- In the Metric Value box, enter 1.
08 Review the details then click Create Filter to generate your new CloudWatch Logs metric filter.
09 On the current page click Create Alarm: 
.
10 In the Create Alarm dialog box, provide the following information:
- Within the Alarm Threshold section, in the Name and Description fields, enter a unique name and a short description for the new CloudWatch alarm.
- Under Whenever: <Metric Name>, select >= (greater than or equal to) from the is dropdown list and enter 1 as the threshold value in the box next to the dropdown list to trigger the alarm every time Root Account is used.
- In the Actions section, click the + Notification button, select State is ALARM from the Whenever this alarm dropdown menu and choose the AWS SNS topic name created at Step 1 from Send notification to.
- In the Alarm Preview section, select 5 Minutes from the Period dropdown list and Sum from the Statistic list.
- Review the CloudWatch alarm configuration details then click Create Alarm. Once created, the new alarm will be listed on the Alarms page.
References
- AWS Documentation
- Amazon CloudWatch Concepts
- Creating CloudWatch Alarms for CloudTrail Events: Examples
- Create a Topic
- Subscribe to a Topic
- How can I create a CloudWatch event rule to notify me that my AWS root user account was used
- AWS Command Line Interface (CLI) Documentation
- cloudwatch
- describe-alarms-for-metric
- put-metric-alarm
- put-metric-filter
- sns
- create-topic
- subscribe
- confirm-subscription
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Root Account Usage Alarm
Risk level: High