I think they may have changed the behaviour of invokedBy. When I am logged in as root I see all my activity invokedBy "signin.amazonaws.com."
I think this query may give the desired results:
{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy = "signin.amazonaws.com" }
5 Answers
Using the updated query I seem to be getting the results I want. I did not see any false positives but I can’t rule that out.
{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy = "signin.amazonaws.com" }
I set the default value of the metric filter to be 0 (it’s in the the advanced settings) so that each data point it either 0 or 1 (essentially a boolean value). On the alarm, I set the threshold to be ">0" when averaged over a period 15 minutes. The effect was that root activity triggered the metric to be 1 which in turn triggered the alarm. After there was no root activity for about 15 minutes, the alarm turned off.
There is an alarm setting to "treat missing data as good" which may have been useful. I think I could have used it to skip the default 0 and set the threshold to "=1" but it was not the first thing I thought of.
I would have liked to have set the metric filter to be a count of CloudTrail events instead of just 0 or 1 but I couldn’t figure out how to do that quickly and now I’m sort of bored with the whole process. 😉
Thanks aaron8bit I will your query a try. I appreciate u sharing your findings
I went with this filter:
{($.userIdentity.type = Root) && ($.eventType = AwsConsoleSignIn)}
There’s an AWS doco on this, no need to guess or quote random internet material.
On the other hand, it does not appear to work. We are not quoting random internet material, but trying to investigate what filter to use for this purpose.
Is it possible they change the name of this lecture? The example he follows is an AWS article of receiving notifications when Root access keys are used but the lecture wants to do a notification of root login. Those are two separate issues as root access keys could be used from the AWS CLI.
I’m not sure if this is the source of the problem but I followed the instructions at the link below and the only difference was the "Whenver … is >= " value. Once I changed it from 0 to 1, I started getting email notifications.
(FYI, I also came across this – Monitor & Notify on Root user activity https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/ )
I can confirm that this generated alarms. What I am not sure about is whether it might generate false positives.
I can confirm that it did create an alert of root user accessing; granted it was delayed by about an hour but it works.