AWS root account activity

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect AWS root user activity.

Strategy

Monitor CloudTrail and detect when any @userIdentity.type has a value of Root, but is not invoked by an AWS service or SAML provider.

Triage and response

  1. Determine if the root API Call: {{@evt.name}} is expected.
  2. If the action wasn’t legitimate, rotate the credentials, enable 2FA, and open an investigation.