AWS Root login Alert

AWS Root login Alert

July 23, 2021 / Nirav S

Root User has complete access to all AWS services and resources in the account. Root user account can grant unlimited access to your account and its resources. It’s a best practice to secure root user access to your account.

Set Up An Alert If the root User Logs In Steps:

Go to CloudTrail service

Expand Created Trail

• In CloudWatch Logs section,
• Edit and enable CloudWatch Logs
• Set everything as default and give role name

Now Go to Cloudwatch service

• Expand Logs section
• Go to Log groups section

• Then Choose Create Metric Filter in Action

In Filter pattern , add this

 { $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }

• Set Metric detail

• And create metric filter

Now Create Alarm in Alarm Section

• Select Created metric

• Now select greater than 1

• Now create new SNS topic and give your email address
• And click on create topic..
• You will get a confirmation email to the given email address..

• Give Alarm name

• And create Alarm

Now try to login as root , You will get email notification as an alert