Certified Security - Specialty
  1. Rooms
  2. Certified Security - Specialty

Sign Up Free or Log In to participate!

CHAPTER 4.6 – Set Up An Alert If The Root User Logs In – new solution

Setup a CloudWatch Events Rule:

{

"detail-type": [

"AWS API Call via CloudTrail",

"AWS Console Sign In via CloudTrail"

],

"detail": {

"userIdentity": {

"type": [

"Root"

]

}

}

}

Then set the Target to SNS topic, with the Topic being an already existing one.  

Login as root, and you should receive your alert in ~1min.

Josh Blades

I was just watching the video and came up with the exact same solution! I’m curious to what will appear in the Exam, and what’s accepted as the correct configuration.

3 Answers

Top banana! 
Thanks very much Gryphon

Slight variation here. I used "ÄWS Console Sign In" as Service Name with Specific User and Root account ARN as parameter

Dear Gryphon, I like your idea, but would still keep to Cloud Guru advise (Please update the video :-), its very outdated )

If you would follow the remediation of 1.1 – Avoid the use of the "root" account in CIS AWS Foundations Benchmark controls:

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html 

you would find same filter pattern:

{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization