Monitoring: AWS account root user login
The AWS account root user has complete access to all AWS services and resources in an account. This identity is accessed by signing in with the email address and password used to create the account. As a best practice, we do not recommend using these credentials for everyday tasks.
The AWS account root user should only be used in emergencies. For example, if you locked yourself out of an AWS account by a misconfigured IAM policy. In day-to-day use, the credentials for the AWS account root user should be kept in a safe place and not used. Using the AWS account root user is a security risk and should be closely monitored.
Without further ado, marbot notifies you about AWS account root user logins. Here is what an alert caused by a root user login looks like in Microsoft Teams.
And here is the same alert in Slack.
marbot works with Slack and Microsoft Teams. Please select your platform and follow the Getting Started guide.
marbot creates EventBridge rules to monitor the following events automatically.
AWS Console Sign In via CloudTrail
|Get notified if a root user signs in.