|   Trend Micro Cloud One™
Open menu

AWS Account Root User Activity

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 27 October 2018
Risk level: High (not acceptable risk)
Rule ID: IAM-052

Cloud Conformity monitors and notifies on any root API activity performed within your AWS account. When you sign up for Amazon Web Services, you provide login information (an email address and a password) that is associated with your AWS account. This combination of email address and password represents your AWS root account and its credentials allow full access to all AWS services (including billing information) and resources. Since the root user has complete control over your AWS cloud infrastructure and resources, it is imperative to prevent this privileged user from getting into the wrong hands. Although, Cloud Conformity strongly recommends that you avoid using the AWS root user for your everyday tasks or even for the administrative ones, there are particular actions such as changing the root password, viewing account billing information, changing account payment options, restoring IAM user permissions, transferring a Route 53 domain to another AWS account, etc, that can only be performed by the root user. Therefore, to be certain that all root user activity is authorized and expected, it is vital to monitor root API calls to a given AWS account and to get notifications when this type of activity is detected, via the recipients defined in the Cloud Conformity account settings. The communication channels for sending notifications can be easily configured within Cloud Conformity account. The list of supported communication channels that you can use to receive notification alerts are Slack, SMS, Email, PagerDuty, ServiceNow and Zendesk. Through this detection and notification process, Cloud Conformity RTMA gives you the ability to take any necessary steps when an illegitimate root API activity is detected or it can simply be used for tracking root user activity, required for future auditing needs.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Real-Time Threat Monitoring


Monitoring AWS account root user activity can help your organization to meet security and compliance requirements and enable it to respond fast to any unauthorized root access sessions. As a security best practice, you need to be aware whenever root user activity occurs within your Amazon Web Services account. To achieve and maintain this awareness, you need to enable Cloud Conformity RTMA root API activity monitoring. Because the root user acts like a superuser, anyone who has your root credentials can gain unrestricted access to all resources and services available in your AWS account, including billing information and the ability to change the root password. The most effective way to reduce the risk of unauthorized access and gain real-time visibility into your account root activity is to avoid using the root user credentials for everyday access (to perform high privilege activities, use an admin level IAM user instead) and to monitor each root API call performed within your AWS account.


Publication date Sep 7, 2018

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base

Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

AWS Account Root User Activity

Risk level: High