Root Account Usage Alarm
More Info:
Root Account Usage should be monitored using CloudWatch alarms.Risk Level
HighAddress
SecurityCompliance Standards
CISAWS, CBP, PCIDSS, SOC2, NIST, HIPAA, ISO27001, HITRUST, AWSWAF, NISTCSFTriage and Remediation
Remediation
Using Console
Using Console
The Root Account Usage Alarm is an AWS Config Rule that checks whether the root account of your AWS account has been used within the last 90 days. If it has been used, it triggers an alarm. To remediate this issue, you can follow the below steps:
- Log in to the AWS Management Console.
- Go to the AWS Config service.
- Click on the Rules tab.
- Search for the Root Account Usage rule and click on it.
- Click on the Remediation action dropdown and select the “Remediate” option.
- In the Remediation action page, select the “Disable root user access keys” option.
- Click on the “Create remediation exception” checkbox.
- Click on the “Remediate” button to remediate the issue.
Using CLI
Using CLI
The Root Account Usage Alarm is triggered when the root account is used to perform any actions in AWS. This is a security risk as the root account has unrestricted access to all resources in the account. To remediate this misconfiguration, follow these steps:
-
Create a new IAM user with administrative privileges.
- Use the AWS CLI command
aws iam create-userto create a new user. - Use the
aws iam create-access-keycommand to generate an access key and secret key for the user. - Use the
aws iam attach-user-policycommand to attach theAdministratorAccesspolicy to the user. This will give the user full administrative privileges.
- Use the AWS CLI command
-
Enable multi-factor authentication (MFA) for the root account.
- Use the
aws iam create-virtual-mfa-devicecommand to create a virtual MFA device. - Use the
aws iam enable-mfa-devicecommand to enable MFA for the root account.
- Use the
-
Remove the access keys for the root account.
- Use the
aws iam delete-access-keycommand to delete the access keys for the root account.
- Use the
-
Create an AWS CloudWatch alarm to monitor root account usage.
- Use the AWS CLI command
aws cloudwatch put-metric-alarmto create an alarm that will trigger if the root account is used to perform any actions in AWS.
- Use the AWS CLI command
Using Python
Using Python
The Root Account Usage Alarm is an AWS CloudWatch alarm that triggers when the root account is used to sign in to the AWS Management Console. This is considered a security risk, as the root account has full access to all AWS resources and should be used only for administrative tasks that cannot be performed by other IAM users.
- Replace
<SNS topic ARN>with the ARN of the SNS topic where you want to receive alarm notifications.