AWS: How to get notified on root account login

The root account is so powerful you shouldn't use it. Then make sure nobody else does

4 mins
I have a lot of challenges when it comes to AWS, but I bet your pain points are entirely different than mine. I'd love to hear what keeps you up at night. It would be great to hear from you by filling out this form. Thanks in advance!

Background

One of the first mistake people do is to use the root account for day-to-day tasks. It makes sense, as AWS provides this user, so why not use it? But it is so powerful and replacing it with a lesser user is so easy, there is hardly any justifiable reason not to get rid of it.

But when it comes to security, knowing when something is broken is of equal importance. You don’t use the root user, but it is still accessible. If somebody steals the credentials and use it, you must know that immediately. And there is a way to do so.

Prerequisities

To use CloudTrail events in CloudWatch Events, you need to enable CloudTrail first. There is no notification if you don’t do that, but you won’t get any events.

(Thanks to Christian Salway for catching that)

Detecting root account login

In a nutshell, you need to define a CloudWatch Events rule to detect the login action and send an SNS notification. Since the event dispatch and the notification is separated, you can set up more than a simple email alert, like calling a Lambda function or send an SMS.

The trick is to use the us-east-1 region, as that is where the root users log in. Setting up the Event Rule in that region is essential.

You can use this CloudFormation template to have the notification set up for you automatically. Just don’t forget to switch to the us-east-1 region before deploying it, and subscribe to the resulting SNS topic after.

If you want to do it manually, follow these steps.

Step 1: Set up an SNS topic

First, switch to the us-east-1 region before doing anything else. Then create an SNS topic, subscribe to it, then confirm the subscription.

Unfortunately, the default topic policy does not allow CloudWatch Events to publish to the topic. To allow it, replace the topic policy with this one:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sns:Publish",
      "Resource": "<arn of the topic>"
    }
  ]
}

If you add this to an existing topic, be careful. If there is no policy attached, there is a default one, which allows most services in the account to publish to the topic. By adding an explicit policy, this default is lost, and that might break other publishers.

Step 2: Create an Event Rule

The event is called AWS Console Sign In via CloudTrail. Still in the us-east-1 region, go to the CloudWatch console, and under Events and Rules, add a new rule.

For the Event pattern, use this:

{
  "detail-type": [
    "AWS Console Sign In via CloudTrail"
  ],
  "detail": {
    "userIdentity": {
      "type": [
        "Root"
      ]
    }
  }
}

Finally, add the SNS topic as the target.

Step 3: Test it

Log out and log back in with the root user. An email will arrive seconds after.

References

Did you know we have a free guide on AWS security basics?

Do you have an AWS account? Of course you do, you've just read an article about AWS. But do you know how to secure it?

As a certified security specialist I'm familiar with most of the security controls AWS offers. I've compiled this guide so you don't have to take a month off to learn all that.

5 quick and easy steps to avoid the rookie mistakes and reduce the risk of costly events down the road.

Download the free guide here:

30 January 2019