API

AWS root account activity

Docs > Datadog Security > OOTB Rules > AWS root account activity

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect AWS root user activity.

Strategy

Monitor CloudTrail and detect when any @userIdentity.type has a value of Root, but is not invoked by an AWS service or SAML provider.

Triage and response

Determine if the root API Call: {{@evt.name}} is expected.
If the action wasn’t legitimate, rotate the credentials, enable 2FA, and open an investigation.

For best practices, check out the AWS Root Account Best Practices documentation.
For compliance, check out the CIS AWS Foundations Benchmark controls documentation.