Monitoring: AWS account root user login

The AWS account root user has complete access to all AWS services and resources in an account. This identity is accessed by signing in with the email address and password that was used to create the account. As a best practice, we do not recommend using these credentials for everyday tasks.

Why should you monitor AWS account root user logins?

The AWS account root user should only be used in emergency situations. For example, in case you locked yourself out of an AWS account by a misconfigured IAM policy. In day-to-day use, the credentials for the AWS account root user should be kept in a safe place and not used. The use of the AWS account root user is a security risk and should be closely monitored.

How does monitoring AWS account root user logins work?

Without further ado, marbot notifies you about AWS account root user logins. Here is, what an alert caused by an root user login looks like in Microsoft Teams.

And here is the same alert in Slack.

How to setup monitoring of AWS account root user logins?

marbot works with Slack and Microsoft Teams. Please select your platform and follow the Getting started guide.

• marbot for Slack
• marbot for Microsoft Teams