AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Root Account Activity Should Be Monitored
More Info:
Checks activity of any root user . Using the root account is strongly discouraged for everyday tasks as it carries a high level of privilege and can be risky. Monitoring this activity can help ensure the root account is only being used for authorized purposes.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of not monitoring root account activity in AWS IAM using the AWS Management Console, follow these step-by-step instructions:
-
Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account using your root account credentials.
-
Navigate to CloudTrail: In the AWS Management Console, search for “CloudTrail” in the services search bar and click on the CloudTrail service.
-
Create a new trail: Click on the “Trails” option in the left-hand navigation pane, then click on the “Create trail” button.
-
Configure trail settings:
- Enter a name for the trail (e.g., “RootAccountMonitoring”).
- Choose the S3 bucket where you want to store the CloudTrail logs.
- Enable the option for “Read/Write events”.
- Click on “Create” to create the trail.
-
Enable logging for the root account: By default, CloudTrail logs all AWS account activity, including actions performed by the root account.
-
Set up CloudWatch alarms (optional): You can set up CloudWatch alarms to monitor specific API activity related to the root account. This can help you detect suspicious activity and respond quickly.
-
Review and monitor the logs: Regularly review the CloudTrail logs to monitor the activity of the root account and detect any unauthorized actions.
By following these steps, you can remediate the misconfiguration of not monitoring root account activity in AWS IAM using the AWS Management Console and enhance the security of your AWS account.
To remediate the misconfiguration of not monitoring root account activity in AWS IAM using AWS CLI, follow these steps:
-
Enable CloudTrail logging for the AWS account:
- Run the following AWS CLI command to enable CloudTrail logging:
Replace
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail
<trail-name>
with a suitable name for the CloudTrail trail, and<bucket-name>
with the name of the S3 bucket where CloudTrail logs will be stored.
- Run the following AWS CLI command to enable CloudTrail logging:
-
Enable logging for AWS Management Console sign-in events:
- Run the following AWS CLI command to enable logging for AWS Management Console sign-in events:
aws cloudtrail update-trail --name <trail-name> --enable-log-file-validation
- Run the following AWS CLI command to enable logging for AWS Management Console sign-in events:
-
Configure CloudWatch Events for monitoring root account activity:
- Create a CloudWatch Events rule to monitor root account activity by running the following AWS CLI command:
aws events put-rule --name MonitorRootAccountActivity --event-pattern "{\"source\": [\"aws.iam\"],\"detail-type\": [\"AWS API Call via CloudTrail\"],\"detail\":{\"userIdentity\":{\"type\":[\"Root\"]}}"
- Create a CloudWatch Events rule to monitor root account activity by running the following AWS CLI command:
-
Create a target for the CloudWatch Events rule:
- Create a target for the CloudWatch Events rule to specify the action to be taken when the rule is triggered. For example, you can send an SNS notification by running the following AWS CLI command:
Replace
aws events put-targets --rule MonitorRootAccountActivity --targets "Id"="1","Arn"="<sns-topic-arn>"
<sns-topic-arn>
with the ARN of the SNS topic where notifications will be sent.
- Create a target for the CloudWatch Events rule to specify the action to be taken when the rule is triggered. For example, you can send an SNS notification by running the following AWS CLI command:
-
Enable the CloudWatch Events rule:
- Enable the CloudWatch Events rule to start monitoring root account activity by running the following AWS CLI command:
aws events enable-rule --name MonitorRootAccountActivity
- Enable the CloudWatch Events rule to start monitoring root account activity by running the following AWS CLI command:
By following these steps, you will successfully remediate the misconfiguration of not monitoring root account activity in AWS IAM using AWS CLI.
To remediate the misconfiguration of not monitoring root account activity in AWS IAM using Python, you can follow these steps:
-
Enable AWS CloudTrail for Root Account Activity Logging:
- Use the AWS SDK for Python (Boto3) to enable CloudTrail logging for the root account. Here’s an example code snippet to enable CloudTrail logging:
import boto3 client = boto3.client('cloudtrail') response = client.update_trail( Name='your-cloudtrail-name', IncludeGlobalServiceEvents=True, IsMultiRegionTrail=True, EnableLogFileValidation=True )
-
Set Up CloudWatch Alarms for Root Account Activity:
- Use Boto3 to create CloudWatch alarms that monitor root account activity. Here’s an example code snippet to create a CloudWatch alarm for monitoring root account sign-in events:
import boto3 client = boto3.client('cloudwatch') response = client.put_metric_alarm( AlarmName='RootAccountSignInAlarm', ComparisonOperator='GreaterThanThreshold', EvaluationPeriods=1, MetricName='SigninSuccesses', Namespace='AWS/CloudTrail', Period=300, Statistic='Sum', Threshold=0.0, ActionsEnabled=True, AlarmDescription='Alarm for Root Account Sign-In Events', Dimensions=[ { 'Name': 'EventName', 'Value': 'ConsoleLogin' }, { 'Name': 'Username', 'Value': 'root' } ], AlarmActions=[ 'arn:aws:sns:your-region:your-account-id:your-sns-topic' ] )
-
Configure SNS Topic for CloudWatch Alarms:
- You need to create an SNS topic and subscribe to it to receive notifications for CloudWatch alarms. Here’s an example code snippet to create an SNS topic:
import boto3 client = boto3.client('sns') response = client.create_topic( Name='RootAccountActivityTopic' ) topic_arn = response['TopicArn'] response = client.subscribe( TopicArn=topic_arn, Protocol='email', Endpoint='[email protected]' )
By following these steps and regularly monitoring the CloudTrail logs and CloudWatch alarms, you can effectively remediate the misconfiguration of not monitoring root account activity in AWS IAM using Python.