More Info:

Checks activity of any root user . Using the root account is strongly discouraged for everyday tasks as it carries a high level of privilege and can be risky. Monitoring this activity can help ensure the root account is only being used for authorized purposes.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

To remediate the misconfiguration of not monitoring root account activity in AWS IAM using the AWS Management Console, follow these step-by-step instructions:

  1. Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account using your root account credentials.

  2. Navigate to CloudTrail: In the AWS Management Console, search for “CloudTrail” in the services search bar and click on the CloudTrail service.

  3. Create a new trail: Click on the “Trails” option in the left-hand navigation pane, then click on the “Create trail” button.

  4. Configure trail settings:

    • Enter a name for the trail (e.g., “RootAccountMonitoring”).
    • Choose the S3 bucket where you want to store the CloudTrail logs.
    • Enable the option for “Read/Write events”.
    • Click on “Create” to create the trail.
  5. Enable logging for the root account: By default, CloudTrail logs all AWS account activity, including actions performed by the root account.

  6. Set up CloudWatch alarms (optional): You can set up CloudWatch alarms to monitor specific API activity related to the root account. This can help you detect suspicious activity and respond quickly.

  7. Review and monitor the logs: Regularly review the CloudTrail logs to monitor the activity of the root account and detect any unauthorized actions.

By following these steps, you can remediate the misconfiguration of not monitoring root account activity in AWS IAM using the AWS Management Console and enhance the security of your AWS account.