AWS root account activity


Detect AWS root user activity.


Monitor CloudTrail and detect when any @userIdentity.type has a value of Root, but is not invoked by an AWS service or SAML provider.

Triage and response

  1. Determine if the root API Call: {{}} is expected.
  2. If the action wasn’t legitimate, rotate the credentials, enable 2FA, and open an investigation.