If I’m not wrong, there’s now an easiest way to detect a root login with a simple CloudWatch rule : choose "AWS Console Sign-In" as the service name, enter the root ARN and that’s it.
4 Answers
Thanks for pointing this out Emmanuel! I found a CloudFormation template that Amazon published to automate the process you mentioned.
.
https://aws.amazon.com/premiumsupport/knowledge-center/root-user-account-cloudwatch-rule/
Here is my Solution which I have setup:
1. Turn on GuardDuty
2. Create CloudWatch Event with Pattern:
{
"source": [
"aws.guardduty"
],
"detail": {
"type": [
"Policy:IAMUser/RootCredentialUsage"
]
}
}3. Set Target SNS topic with your email/sms
4. Done.
{ $.responseElements.ConsoleLogin = "Success" && $.eventType= "AwsConsoleSignIn" && $.userIdentity.sessionContext.sessionIssuer.userName= "Root"}
this pattern should work
Note- userName is case sensitive
According to the example in https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html#cloudtrail-event-reference-aws-console-sign-in-events-root, it would be
{$.userIdentity.type = "Root" && $.eventType="AwsConsoleSignIn" && $.responseElements.ConsoleLogin = "Success"}.
You’d probably want to check on API calls too.