Ensure there is an Amazon CloudWatch alarm created and configured in your AWS account to fire each time Root Account is used. This CloudWatch alarm must be triggered every time AWS Root Account is used.
This rule can help you with the following compliance standards:
- The Center of Internet Security AWS Foundations Benchmark
- Payment Card Industry Data Security Standard (PCI DSS)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
The AWS root account is the account that is created when signing up with Amazon Web Services. We strongly recommend that you do not use the root user for your everyday tasks, or even the administrative ones. Using Amazon CloudWatch alarms to detect AWS Root Account usage will help you monitor AWS (root) account activities that may lead to unauthorised access or other security breaches.
Note 1: For this rule Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule to enable AWS Cloudtrail – CloudWatch integration.
Note 2: You have also the option to implement this conformity rule with AWS CloudFormation. Follow the AWS instructions available here
To determine if there are any CloudWatch alarms set up to monitor AWS Root Account usage within your AWS account, perform the following:
Remediation / Resolution
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send email notifications whenever the appropriate Amazon CloudWatch alarm is triggered.
Step 2: Create the necessary metric filter and the CloudWatch alarm that will fire and send email notifications whenever an AWS Root Account is used
- AWS Documentation
- Amazon CloudWatch Concepts
- Creating CloudWatch Alarms for CloudTrail Events: Examples
- Create a Topic
- Subscribe to a Topic
- How can I create a CloudWatch event rule to notify me that my AWS root user account was used
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Root Account Usage Alarm
Risk level: High