The root account in AWS is the master key to all of your organization’s cloud-hosted systems, activities, and services. If an attacker gets in: game over. It must be well-protected.
A properly configured AWS setup will require very infrequent root logins. Most responsibilities should be doled out to other users with fewer permissions. The root account should not be used for making changes to your organization’s environment. It’s important to track root usage of your organization but some may think this is an easy chore to overlook because of it’s low usage. However, even with infrequent logins, tracking the behavior of the root account is an easily achievable task.
Root logins, attempts, and failures can be tracked with AWS CloudTrail. Users can also set up email notifications for the email address connected to the root account, so the owner can be quickly notified if someone tries to access the root account. Root login attempts should be actively monitored, and very few alerts should ever come through, because people should not be using the root account often if at all for production or business operations.
AWS provides documentation to help users in setting these alerts up. We suggest implementing this ASAP!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.