<  Back to rules search

AWS Root credential activity

guardduty

Classification:

attack

Tactic:

Technique:

Framework:

cis-aws

Control:

cis-1.1

Goal

Detect when the AWS root user credentials are used.

Strategy

This rule lets you monitor this GuardDuty integration finding:

Triage and response

  1. Determine whether the root account activity was legitimate.
  • Review the sample for context.
  • Review CloudTrail logs for a full investigation.
  1. If the root user’s credentials are compromised:
  • Review the AWS documentation on remediating compromised AWS credentials.

Root Account Best Practices

Changelog

  • 1 November 2022 - Updated links.