AWS root account activity

Goal

Detect AWS root user activity.

Strategy

Monitor CloudTrail and detect when any @userIdentity.type has a value of Root, but is not invoked by an AWS service or SAML provider.

Triage and response

  1. Determine if the root API Call: {{@evt.name}} is expected.
  2. If the action wasn’t legitimate, rotate the credentials, enable 2FA, and open an investigation.
PREVIEWING: esther/docs-9478-fix-split-after-example