Certified Security - Specialty

Sign Up Free or Log In to participate!

Alternate way to Detect when a Root User Logs in

If I’m not wrong, there’s now an easiest way to detect a root login with a simple CloudWatch rule : choose "AWS Console Sign-In" as the service name, enter the root ARN and that’s it.

4 Answers

Thanks for pointing this out Emmanuel! I found a CloudFormation template that Amazon published to automate the process you mentioned.



Here is my Solution which I have setup:

1. Turn on GuardDuty

2. Create CloudWatch Event with Pattern:

  "source": [    
  "detail": {    
    "type": [    

3. Set Target SNS topic with your email/sms

4. Done.

{ $.responseElements.ConsoleLogin = "Success" && $.eventType= "AwsConsoleSignIn" && $.userIdentity.sessionContext.sessionIssuer.userName= "Root"} 

this pattern should work 

Note- userName is case sensitive

According to the example in https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html#cloudtrail-event-reference-aws-console-sign-in-events-root, it would be 

{$.userIdentity.type = "Root" && $.eventType="AwsConsoleSignIn" && $.responseElements.ConsoleLogin = "Success"}.  

You’d probably want to check on API calls too.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?