--- title: CloudWatch root account use missing description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CloudWatch root account use missing --- # CloudWatch root account use missing {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-cloudwatch-root-account-use-alarm-missing` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Observability #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) ### Description{% #description %} This check ensures that a log metric filter and alarm are in place to detect AWS root account usage, as this account has full privileges and its use is strongly discouraged. Without correctly associating the alarm with the relevant metric (for example, by setting `metric_name` to the correct log metric filter ID), unauthorized or unintended root account actions may go unnoticed, increasing the risk of privilege escalation or account compromise. A secure configuration will explicitly set `metric_name = aws_cloudwatch_log_metric_filter.cis_root_account_use_metric_filter.id` to guarantee effective alerting on root account activity. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { name = "CIS-RootAccountUsage" pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-RootAccountUsage" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "CIS_Root_Account_Use_CW_Alarm" { alarm_name = "CIS-3.3-RootAccountUsage" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cis_root_account_use_metric_filter.id namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { name = "CIS-RootAccountUsage" pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-RootAccountUsage" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" { alarm_name = "CIS-3.3-RootAccountUsage" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXX NOT YOUR FILTER XXX" namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ``` ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { name = "CIS-RootAccountUsage" pattern = "{ $.userIdentity.type = \"Root\" && $.eventType != \"AwsServiceEvent\" }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-RootAccountUsage" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" { alarm_name = "CIS-3.3-RootAccountUsage" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cis_root_account_use_metric_filter.id namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ``` ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { name = "CIS-RootAccountUsage" pattern = "{ $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-RootAccountUsage" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" { alarm_name = "CIS-3.3-RootAccountUsage" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cis_root_account_use_metric_filter.id namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ```