CloudWatch log metric filter and alarm for usage of root account should be configured

Description

A CloudWatch metric filter and alarm should be established for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and the opportunity to reduce it.

Console Remediation Steps

  • This is a two part process. First, you create the Metric Filter.

    • Navigate to CloudWatch.

    • In the left navigation pane, select Logs.

    • Select the log group you created for the CloudTrail Log events.

    • Click Create Metric Filter.

    • On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: { $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }

    • Choose Assign Metric.

    • For Filter Name, type RootAccountUsage.

    • For Metric Namespace, type CloudTrailMetrics.

    • For Metric Name, type RootAccountUsageCount.

    • Choose Show advanced metric settings.

    • For Metric Value, type 1.

    • Choose Create Filter.

  • Create an Alarm. After you create the metric filter, follow the steps below to create an alarm.

    • On the Filters for Log_Group_Name page, click Create Alarm.

    • On the Create Alarm page, provide the following values:

      • In Name, enter Root Account Usage.

      • In Whenever, enter is >= 1 for 1 consecutive period.

      • From the period drop-down, select 5 minutes.

      • From the Statistic drop-down, select Sum.

      • In the Actions section, in the Send notification to field, select New List and enter a unique name for it.

      • In Email List, type the email address to which you want notifications sent.

    • Click Create Alarm.

CLI Remediation Steps