Profile Applicability:

  • Level 1


Description:

This control ensures that AWS CloudTrail log data is monitored for any use of the root account. A CloudWatch metric filter and corresponding alarm must be created to detect and alert whenever the root user performs any action. Monitoring root account activity is critical, as this account has unrestricted administrative privileges across all AWS resources.


Rationale:

The AWS root account provides full access to all resources and services within the AWS account. Its use should be highly restricted and only utilized for emergency or account recovery purposes. Detecting and alerting on root account usage helps ensure accountability, prevent misuse, and reduce the risk of accidental or malicious administrative actions that could compromise the environment.


Impact:

  • Positive Impact: Provides immediate visibility into critical account activities. Helps detect unauthorized or accidental root account usage.
  • Negative Impact: Minimal increase in CloudWatch monitoring costs for logs and alerts.


Default Value:

By default, AWS does not create a metric filter or alarm for root account usage. Manual configuration is required.


Pre-Requisite:

  • CloudTrail must be enabled in all regions.
  • CloudTrail logs must be delivered to a CloudWatch Logs group.
  • IAM permissions required: logs:PutMetricFilter, cloudwatch:PutMetricAlarm, and cloudwatch:DescribeAlarms.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to CloudWatch → Logs → Log groups.
  3. Locate the CloudTrail log group (typically named /aws/cloudtrail/...).
  4. Select Create metric filter.
  5. Enter the following filter pattern to detect root account usage:
  6. Assign a metric name such as RootAccountUsage.
  7. Go to CloudWatch → Alarms → Create alarm.
  8. Create an alarm for the RootAccountUsage metric.
  9. Set a threshold (e.g., ≥ 1 occurrence within 5 minutes) and configure SNS notifications to alert the security team.
  10. Save the configuration.

Implementation Plan

Using AWS Console:

  1. Go to CloudWatch → Logs → Log groups.
  2. Open the CloudTrail log group.
  3. Choose Create metric filter and use the following pattern:
  4. Set Metric Name: RootAccountUsage.
  5. Create an Alarm:
    • Metric: RootAccountUsage
    • Namespace: CISBenchmark
    • Condition: ≥ 1 in 5 minutes
    • Actions: Send notification to the security team via SNS topic (e.g., aws-security-alerts)
  6. Save all configurations.


Backout Plan

Using AWS Console:

  1. Go to CloudWatch → Alarms.

  2. Select the RootAccountUsageAlarm.

  3. Choose Actions → Delete.

  4. Go to Logs → Metric Filters.

  5. Delete the RootAccountUsage filter.

References: