> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Root Account Usage Alarm

### More Info:

Root Account Usage should be monitored using CloudWatch alarms.

### Risk Level

High

### Address

Security

### Compliance Standards

CISAWS, CBP, PCIDSS, SOC2, NIST, HIPAA, ISO27001, HITRUST, AWSWAF, NISTCSF

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        The Root Account Usage Alarm is an AWS Config Rule that checks whether the root account of your AWS account has been used within the last 90 days. If it has been used, it triggers an alarm. To remediate this issue, you can follow the below steps:

        1. Log in to the AWS Management Console.
        2. Go to the AWS Config service.
        3. Click on the Rules tab.
        4. Search for the Root Account Usage rule and click on it.
        5. Click on the Remediation action dropdown and select the "Remediate" option.
        6. In the Remediation action page, select the "Disable root user access keys" option.
        7. Click on the "Create remediation exception" checkbox.
        8. Click on the "Remediate" button to remediate the issue.

        This will disable the root user access keys, which will prevent the root account from being used. The remediation exception will ensure that the rule does not trigger again for the same issue.

        #
      </Accordion>

      <Accordion title="Using CLI">
        The Root Account Usage Alarm is triggered when the root account is used to perform any actions in AWS. This is a security risk as the root account has unrestricted access to all resources in the account. To remediate this misconfiguration, follow these steps:

        1. Create a new IAM user with administrative privileges.
           * Use the AWS CLI command `aws iam create-user` to create a new user.
           * Use the `aws iam create-access-key` command to generate an access key and secret key for the user.
           * Use the `aws iam attach-user-policy` command to attach the `AdministratorAccess` policy to the user. This will give the user full administrative privileges.

        2. Enable multi-factor authentication (MFA) for the root account.
           * Use the `aws iam create-virtual-mfa-device` command to create a virtual MFA device.
           * Use the `aws iam enable-mfa-device` command to enable MFA for the root account.

        3. Remove the access keys for the root account.
           * Use the `aws iam delete-access-key` command to delete the access keys for the root account.

        4. Create an AWS CloudWatch alarm to monitor root account usage.
           * Use the AWS CLI command `aws cloudwatch put-metric-alarm` to create an alarm that will trigger if the root account is used to perform any actions in AWS.

        By following these steps, you will have created a new IAM user with administrative privileges, enabled MFA for the root account, removed the access keys for the root account, and created an alarm to monitor root account usage. This will help to secure your AWS account and reduce the risk of unauthorized access.
      </Accordion>

      <Accordion title="Using Python">
        The Root Account Usage Alarm is an AWS CloudWatch alarm that triggers when the root account is used to sign in to the AWS Management Console. This is considered a security risk, as the root account has full access to all AWS resources and should be used only for administrative tasks that cannot be performed by other IAM users.

        ```python theme={null}
           def create_cloudwatch_alarm(metric_name, namespace, alarm_name, alarm_description, threshold, sns_topic_arn):
              cloudwatch = boto3.client('cloudwatch')
              cloudwatch.put_metric_alarm(
                    AlarmName=alarm_name,
                    AlarmDescription=alarm_description,
                    MetricName=metric_name,
                    Namespace=namespace,
                    ComparisonOperator='GreaterThanOrEqualToThreshold',
                    Threshold=threshold,
                    EvaluationPeriods=1,
                    Statistic='Sum',
                    Period=300,
                    ActionsEnabled=True,
                    AlarmActions=[sns_topic_arn]
              )

           sns_topic_arn = `<SNS topic ARN>`
           create_cloudwatch_alarm('RootAccountUsageCount', 'CloudTrailMetrics', 'RootAccountUsageCountAlarm', 'Alarm for Root Account Usage Count', 1, sns_topic_arn)
           create_cloudwatch_alarm('RootAccountUsageEventCount', 'CloudTrailMetrics', 'RootAccountUsageEventCountAlarm', 'Alarm for Root Account Usage Event Count', 1, sns_topic_arn)
        ```

        * Replace `<SNS topic ARN>` with the ARN of the SNS topic where you want to receive alarm notifications.

        Ensure that you have the necessary permissions to create and modify CloudWatch alarms using the AWS CLI or Python script.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://aws.amazon.com/blogs/security/how-to-receive-notifications-when-your-aws-accounts-root-access-keys-are-used/](https://aws.amazon.com/blogs/security/how-to-receive-notifications-when-your-aws-accounts-root-access-keys-are-used/)
