AWS: How to get notified on root account login
The root account is so powerful you shouldn't use it. Then make sure nobody else does
Background
One of the first mistake people do is to use the root account for day-to-day tasks. It makes sense, as AWS provides this user, so why not use it? But it is so powerful and replacing it with a lesser user is so easy, there is hardly any justifiable reason not to get rid of it.
But when it comes to security, knowing when something is broken is of equal importance. You don't use the root user, but it is still accessible. If somebody steals the credentials and use it, you must know that immediately. And there is a way to do so.
Prerequisities
To use CloudTrail events in CloudWatch Events, you need to enable CloudTrail first. There is no notification if you don't do that, but you won't get any events.
(Thanks to Christian Salway for catching that)
Detecting root account login
In a nutshell, you need to define a CloudWatch Events rule to detect the login action and send an SNS notification. Since the event dispatch and the notification is separated, you can set up more than a simple email alert, like calling a Lambda function or send an SMS.
The trick is to use the us-east-1 region, as that is where the root users log in. Setting up the Event Rule in that region is essential.
You can use this CloudFormation template to have the notification set up for you automatically.
Just don't forget to switch to the us-east-1 region before deploying it, and subscribe to the resulting SNS topic after.
If you want to do it manually, follow these steps.
Step 1: Set up an SNS topic
First, switch to the us-east-1 region before doing anything else. Then create an SNS topic, subscribe to it, then confirm the subscription.
Unfortunately, the default topic policy does not allow CloudWatch Events to publish to the topic. To allow it, replace the topic policy with this one:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "<arn of the topic>"
}
]
}
If you add this to an existing topic, be careful. If there is no policy attached, there is a default one, which allows most services in the account to publish to the topic. By adding an explicit policy, this default is lost, and that might break other publishers.
Step 2: Create an Event Rule
The event is called AWS Console Sign In via CloudTrail. Still in the us-east-1 region, go to the CloudWatch console, and under Events and
Rules, add a new rule.
For the Event pattern, use this:
{
"detail-type": [
"AWS Console Sign In via CloudTrail"
],
"detail": {
"userIdentity": {
"type": [
"Root"
]
}
}
}
Finally, add the SNS topic as the target.
Step 3: Test it
Log out and log back in with the root user. An email will arrive seconds after.
