AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Root Account Usage Alarm
More Info:
Root Account Usage should be monitored using CloudWatch alarms.
Risk Level
High
Address
Security
Compliance Standards
CISAWS, CBP, PCIDSS, SOC2, NIST, HIPAA, ISO27001, HITRUST, AWSWAF, NISTCSF
Triage and Remediation
Remediation
The Root Account Usage Alarm is an AWS Config Rule that checks whether the root account of your AWS account has been used within the last 90 days. If it has been used, it triggers an alarm. To remediate this issue, you can follow the below steps:
- Log in to the AWS Management Console.
- Go to the AWS Config service.
- Click on the Rules tab.
- Search for the Root Account Usage rule and click on it.
- Click on the Remediation action dropdown and select the “Remediate” option.
- In the Remediation action page, select the “Disable root user access keys” option.
- Click on the “Create remediation exception” checkbox.
- Click on the “Remediate” button to remediate the issue.
This will disable the root user access keys, which will prevent the root account from being used. The remediation exception will ensure that the rule does not trigger again for the same issue.
The Root Account Usage Alarm is triggered when the root account is used to perform any actions in AWS. This is a security risk as the root account has unrestricted access to all resources in the account. To remediate this misconfiguration, follow these steps:
-
Create a new IAM user with administrative privileges.
- Use the AWS CLI command
aws iam create-userto create a new user. - Use the
aws iam create-access-keycommand to generate an access key and secret key for the user. - Use the
aws iam attach-user-policycommand to attach theAdministratorAccesspolicy to the user. This will give the user full administrative privileges.
- Use the AWS CLI command
-
Enable multi-factor authentication (MFA) for the root account.
- Use the
aws iam create-virtual-mfa-devicecommand to create a virtual MFA device. - Use the
aws iam enable-mfa-devicecommand to enable MFA for the root account.
- Use the
-
Remove the access keys for the root account.
- Use the
aws iam delete-access-keycommand to delete the access keys for the root account.
- Use the
-
Create an AWS CloudWatch alarm to monitor root account usage.
- Use the AWS CLI command
aws cloudwatch put-metric-alarmto create an alarm that will trigger if the root account is used to perform any actions in AWS.
- Use the AWS CLI command
By following these steps, you will have created a new IAM user with administrative privileges, enabled MFA for the root account, removed the access keys for the root account, and created an alarm to monitor root account usage. This will help to secure your AWS account and reduce the risk of unauthorized access.
The Root Account Usage Alarm is an AWS CloudWatch alarm that triggers when the root account is used to sign in to the AWS Management Console. This is considered a security risk, as the root account has full access to all AWS resources and should be used only for administrative tasks that cannot be performed by other IAM users.
def create_cloudwatch_alarm(metric_name, namespace, alarm_name, alarm_description, threshold, sns_topic_arn):
cloudwatch = boto3.client('cloudwatch')
cloudwatch.put_metric_alarm(
AlarmName=alarm_name,
AlarmDescription=alarm_description,
MetricName=metric_name,
Namespace=namespace,
ComparisonOperator='GreaterThanOrEqualToThreshold',
Threshold=threshold,
EvaluationPeriods=1,
Statistic='Sum',
Period=300,
ActionsEnabled=True,
AlarmActions=[sns_topic_arn]
)
sns_topic_arn = `<SNS topic ARN>`
create_cloudwatch_alarm('RootAccountUsageCount', 'CloudTrailMetrics', 'RootAccountUsageCountAlarm', 'Alarm for Root Account Usage Count', 1, sns_topic_arn)
create_cloudwatch_alarm('RootAccountUsageEventCount', 'CloudTrailMetrics', 'RootAccountUsageEventCountAlarm', 'Alarm for Root Account Usage Event Count', 1, sns_topic_arn)
- Replace
<SNS topic ARN>with the ARN of the SNS topic where you want to receive alarm notifications.
Ensure that you have the necessary permissions to create and modify CloudWatch alarms using the AWS CLI or Python script.