Profile Applicability:

Level 1

Description:

Real-time monitoring of AWS Root account usage can be achieved by directing CloudTrail logs to Amazon CloudWatch Logs or an external SIEM environment and configuring corresponding metric filters and alarms. It is recommended to set up CloudWatch metric filters and alarms for root account logins and API calls to detect unauthorized usage.

Rationale:

The root account has unrestricted access to all AWS resources and should never be used for daily operations.
 Monitoring root account activity helps:

  • Detect unauthorized use of the account.

  • Identify potential security risks.

  • Improve security posture by limiting root account usage.

Best Practices:

  • Avoid using the root account for daily administrative tasks.

  • Use IAM users with least privilege instead.

  • Enable MFA for the root account.

Impact:

  • High: Unauthorized root account usage poses a critical security risk.

  • Excessive false alerts may occur if some services automatically use root privileges (e.g., AWS Service Events).

Mitigation:

  • Limit root account access to break-glass scenarios.

  • Use IAM roles instead of the root account.

Default Value:

By default, AWS does not provide alerts for root account activity unless CloudWatch metrics and alarms are manually configured.

Prerequisites:

  1. IAM Permissions Required:

    • cloudtrail:DescribeTrails

    • cloudtrail:GetTrailStatus

    • logs:DescribeMetricFilters

    • logs:PutMetricFilter

    • cloudwatch:PutMetricAlarm

    • sns:CreateTopic

    • sns:Subscribe

  2. AWS CloudTrail must be enabled across all regions.

  3. Amazon CloudWatch Logs must be integrated with CloudTrail.

Remediation:

Test Plan:

Perform the following steps to verify CloudTrail is logging root account activity and CloudWatch alarms are configured.

Step 1: Verify CloudTrail is Multi-Region and Logging is Active

aws cloudtrail describe-trails

  • Ensure IsMultiRegionTrail is true.

aws cloudtrail get-trail-status --name <trail-name>

  • Ensure IsLogging is true.

aws cloudtrail get-event-selectors --trail-name <trail-name>

  • Ensure IncludeManagementEvents is true and ReadWriteType is All.

Step 2: Check if a Metric Filter Exists for Root Account Usage

aws logs describe-metric-filters --log-group-name <trail-log-group-name>

  • Ensure output includes:

{
  "filterPattern": "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
}

Step 3: Verify CloudWatch Alarm Exists for Root Account Usage

aws cloudwatch describe-alarms --query "MetricAlarms[?MetricName == 'root_usage_metric']"

  • Ensure alarm exists and is associated with an SNS topic.

Step 4: Confirm SNS Topic Has Active Subscriptions

aws sns list-subscriptions-by-topic --topic-arn <sns-topic-arn>

  • Ensure at least one valid subscription exists.

Implementation:

Step 1: Create a CloudWatch Metric Filter

aws logs put-metric-filter \
  --log-group-name <trail-log-group-name> \
  --filter-name root-usage-metric \
  --metric-transformations metricName=root_usage_metric,metricNamespace=CISBenchmark,metricValue=1 \
  --filter-pattern "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"

Step 2: Create an SNS Topic

aws sns create-topic --name security-alerts

Step 3: Subscribe to SNS Topic

aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint [email protected]

Step 4: Create a CloudWatch Alarm

aws cloudwatch put-metric-alarm \
  --alarm-name "root_usage_alarm" \
  --metric-name "root_usage_metric" \
  --namespace "CISBenchmark" \
  --statistic Sum \
  --period 300 \
  --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --alarm-actions <sns-topic-arn>

Remediation:

  1. Identify root account activity in CloudTrail logs.

  2. Ensure MFA is enabled for the root account using the AWS IAM console.

  3. Restrict root account access by ensuring IAM users or roles have sufficient privileges instead.

  4. Rotate credentials immediately if unauthorized root account usage is detected.

  5. Investigate logs for unusual activity if an unauthorized root account login occurs.

Backout Plan:

  • If false alerts are excessive, refine the metric filter by excluding AWS Service Events.

  • If necessary, remove the CloudWatch alarm using:

aws cloudwatch delete-alarms --alarm-name "root_usage_alarm"
  • Unsubscribe from SNS alerts using:
aws sns unsubscribe --subscription-arn <subscription-arn>

References:

  1. AWS CloudTrail Documentation

  2. Amazon CloudWatch Alarms

  3. AWS SNS Documentation

  4. AWS IAM Best Practices

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

8.5

Collect detailed audit logs for API activity monitoring.

CIS v8

8.11

Conduct audit log reviews to detect threats weekly.

CIS v7

4.9

Log and alert on unsuccessful administrative account login attempts.

CIS v7

6.3

Enable detailed logging for security analysis.