AWS root account activity

Classification:

attack

Tactic:

Technique:

Goal

Detect AWS root user activity.

Monitor CloudTrail and detect when any @userIdentity.type has a value of Root, but is not invoked by an AWS service or SAML provider.

Determine if the root API Call: {{@evt.name}} is expected.
If the action wasn’t legitimate, rotate the credentials, enable 2FA, and open an investigation.

For best practices, check out the AWS Root Account Best Practices documentation.
For compliance, check out the CIS AWS Foundations Benchmark controls documentation.