Are you tracking root logins in AWS?

Published on 3rd March 2022 Author: Eloghosa Obasuyi

The root account in AWS is the master key to all of your organization’s cloud-hosted systems, activities, and services. If an attacker gets in: game over. It must be well-protected.

A properly configured AWS setup will require very infrequent root logins. Most responsibilities should be doled out to other users with fewer permissions. The root account should not be used for making changes to your organization’s environment. It’s important to track root usage of your organization but some may think this is an easy chore to overlook because of it’s low usage. However, even with infrequent logins, tracking the behavior of the root account is an easily achievable task.

Root logins, attempts, and failures can be tracked with AWS CloudTrail. Users can also set up email notifications for the email address connected to the root account, so the owner can be quickly notified if someone tries to access the root account. Root login attempts should be actively monitored, and very few alerts should ever come through, because people should not be using the root account often if at all for production or business operations.

AWS provides documentation to help users in setting these alerts up. We suggest implementing this ASAP!

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Eloghosa Obasuyi

Eloghosa was a cybersecurity analyst at Fractional CISO from 2021-2022. He graduated from Columbus State University in Georgia in 2021. In college, he studied cybersecurity and has been honing his cyber skills for years through practice competing at capture-the-flag, cyber defense, and penetration testing events. Eloghosa is an AWS Certified Cloud Practitioner and is Security+ certified. Today, Eloghosa works at AWS as a Cloud Support Engineer - Security.