Certified Security - Specialty

Sign Up Free or Log In to participate!

CHAPTER 4.6 – Set Up An Alert If The Root User Logs In – new solution

Setup a CloudWatch Events Rule:


"detail-type": [

"AWS API Call via CloudTrail",

"AWS Console Sign In via CloudTrail"


"detail": {

"userIdentity": {

"type": [






Then set the Target to SNS topic, with the Topic being an already existing one.  

Login as root, and you should receive your alert in ~1min.

Josh Blades

I was just watching the video and came up with the exact same solution! I’m curious to what will appear in the Exam, and what’s accepted as the correct configuration.

3 Answers

Top banana! 
Thanks very much Gryphon

Slight variation here. I used "ÄWS Console Sign In" as Service Name with Specific User and Root account ARN as parameter

Dear Gryphon, I like your idea, but would still keep to Cloud Guru advise (Please update the video :-), its very outdated )

If you would follow the remediation of 1.1 – Avoid the use of the "root" account in CIS AWS Foundations Benchmark controls:


you would find same filter pattern:

{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?