4.3 Ensure usage of the 'root' account is monitored (Manual) : iCompaas Support

Profile Applicability

Level 1

Description:

The AWS root account is the most privileged account in an AWS account. It has full access to all resources and services. Monitoring the usage of the root account is essential because unauthorized or accidental usage of this account could lead to significant security risks. By tracking the use of the root account, organizations can detect any suspicious or unintended activities and take corrective action quickly.

Rationale:

The AWS root account is powerful and has unrestricted access to all AWS resources, making it a prime target for attackers. Unauthorized access or accidental use of the root account can lead to:

Exposing sensitive data.
Modifying critical resources or configurations.
Compromising the overall security of the AWS environment.

Monitoring root account usage ensures that it is only used for critical administrative tasks and that any activity is promptly detected.

Impact:

Failure to monitor root account usage can lead to:

Increased risk of unauthorized access to resources.
Potential data breaches or modifications by unauthorized users.
Inability to detect misuse of the root account in a timely manner.

By ensuring that root account usage is monitored, organizations can prevent misuse and ensure better accountability.

Default Value:

By default, CloudTrail logs all AWS API calls, including root account activities, but the use of the root account should be explicitly monitored to ensure compliance with best practices and regulatory requirements.

Pre-Requisites:

AWS CLI installed and configured
IAM permissions:
- cloudtrail:LookupEvents
- cloudwatch:PutMetricData
- cloudwatch:DescribeAlarms
AWS CloudTrail should be enabled for logging root account usage events
AWS CloudWatch should be configured to monitor root account activities

Remediation:

Test Plan:

Using AWS Console:

Go to the CloudTrail Console.
Verify that Management Events are enabled to capture API activities, particularly those performed by the root account.
Go to the CloudWatch Console and check for any existing CloudWatch alarms set up to monitor root account activities.

Using AWS CLI :

aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=root --query "Events" --output table

To verify if CloudWatch is monitoring root account usage:

aws cloudwatch describe-alarms --query "MetricAlarms[?AlarmName=='RootAccountUsageAlarm']" --output table

Implementation Plan:

Using AWS Console:

Ensure CloudTrail is logging root account activities:
- Go to the CloudTrail Console.
- Ensure Management Events are enabled, particularly for root account actions.
- Logs should be stored in an S3 bucket to allow access for long-term storage and auditing.
Set up CloudWatch metrics and alarms to monitor root account usage:
- In the CloudWatch Console, create a custom metric filter to track root account usage.
- Set up an alarm to trigger when root account activity is detected.

Using AWS CLI:

Verify CloudTrail is logging root account usage:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=root --query "Events" --output table

Set up CloudWatch to monitor root account usage:

aws cloudwatch put-metric-alarm --alarm-name "RootAccountUsageAlarm" --metric-name "RootAccountActions" --namespace "AWS/CloudTrail" --statistic "Sum" --period 300 --threshold 1 --comparison-operator "GreaterThanOrEqualToThreshold" --evaluation-periods 1 --actions-enabled

Backout Plan:

Using AWS Console:

If monitoring root account usage causes excessive alarms or logging:
- Go to the CloudWatch Console.
- Adjust the alarm threshold or the metric filter to prevent unnecessary alarm triggers.
- Optionally, disable the alarm temporarily if it is generating too many notifications.
If CloudTrail logging causes performance issues:
- Modify CloudTrail settings to reduce the scope of logged events, specifically for non-critical actions.