Certified Security - Specialty

Sign Up Free or Log In to participate!

Alert on Root user login using CloudTrail events and Cloudwatch events?

Is it not easier to do this using CloudTrail and CloudWatch events an generating a Lambda, instead of using CloudWatch metrics, or am I missing something basic?

4 Answers

Hi Alan,

The goal of this lecture is to have a way of being notified when the Root user logs in to the account.  The combination of CloudWatch Metrics with an Alarm and SNS (email) is exactly what you’d what to do in this situation.

To use CloudWatch Events with Lambda would over-complicate this basic task.  Notifications is a very common thing in AWS and SNS is the way you’d want to accomplish that.

If you were to use Lambda, how would you go about accomplishing the notifications? If it involves using SNS, then you are trying to recreate functionality that already exists with AWS services.

Much of the capabilities of CloudWatch/CloudTrail/SNS is covered in the SysOps Associate course.

Vincent Garcia

It worked only after I spun up an EC2 instance with Root account

Vinay S

The old link is working for me..The problem intitally is that alarm itself did not create for some reason… I followed the same steps using the root account, alarm got created and went to the alarm state and sent out the SNS notification.

Matthieu Lienart

Hello Alan & T.J. From CloudWatch Event you can directly send an SNS notification without needing Lambda. That is much simpler as mentioned below than what is presented in the video.

I couldn’t get the method in the video to work after following the linked blog article. I did find this article from 2017 which used a CFN template to create the require resources to pretty much achieve the same thing. This worked for me straightaway and alerted me on root usage – not just logging in but other API calls as well.

Aaron Tuwhangai

I had success following the same article. The trick to doing this manually (the article uses a cloud formation template) is to go to CloudWatch Rules (under Events) and choose "AWS Console Sign-in". Specify the root user ARN (arn:aws:iam:::root).

Alex T.

well said, or just create a CW Rule with the custom pattern the CFN template uses:

Alex T.

{ "detail-type": ["AWS API Call via CloudTrail","AWS Console Sign In via CloudTrail"], "detail": { "userIdentity": { "type": ["Root"] } } }

Joel Rosado

Wanted to add that some of the practice tests I have seen indicate the method Scott pointed out as the correct answer. Haven’t taken the actual test yet to see how the question is phrased, but I definitely got the answer marked as wrong on the practice test because I followed Ryan’s method. Here is the article again the practice test says is correct: https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/


My 2 cents (as I’ve wasted a significant amount of time): make sure you add the rule to the us-east-1 region. This is the region the root user signs in, so the cw events are not triggered in other regions.


also, I wanted to set up a notification for all sign-ins but since the IAM user can define the region they sign in (https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_how-users-sign-in.html#console_signin-cloudtrail), I’d need to copy-paste the event and the sns to every region, even future ones

I believe it makes sense to send your CloudTrail events to CW Logs only when you want to setup up several metrics (via custom filters). If you’re only looking to monitor root account logins, then creating a CW event rule is definitely the cheaper solution. From the CW event rule you might as well send the notification directly via SNS, without processing it with a Lambda function

This is by far faster to receive an SNS email notification : Using CloudWatch Event Rules directly monitoring an IAM event of type API call via CloudTrail, of custom pattern { "detail-type": ["AWS API Call via CloudTrail","AWS Console Sign In via CloudTrail"], "detail": { "userIdentity": { "type": ["Root"] } } }

This is fast because the CloudWatch Events service integrates directly with IAM and CloudTrail and gets notified instantly when that API call happens.

The alternative of metric + alert depends on CloudTrail having delivered the logs to CLoudwAtch Logs which could take up to 15mins + 5mins = 20mins worst case, before then the metric + alarm picks up and send the email to you.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?