AWS Root Credentials
Detects AWS root account usage
Sigma rule (View on GitHub)
1title: AWS Root Credentials
2id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
3status: test
4description: Detects AWS root account usage
5references:
6 - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
7author: vitaliy0x1
8date: 2020-01-21
9modified: 2022-10-09
10tags:
11 - attack.privilege-escalation
12 - attack.defense-evasion
13 - attack.initial-access
14 - attack.persistence
15 - attack.t1078.004
16logsource:
17 product: aws
18 service: cloudtrail
19detection:
20 selection_usertype:
21 userIdentity.type: Root
22 selection_eventtype:
23 eventType: AwsServiceEvent
24 condition: selection_usertype and not selection_eventtype
25falsepositives:
26 - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
27level: medium
References
-
Manage the root user for an AWS account, including changing its password, and creating and removing access keys.
Read More
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- AWS SAML Provider Deletion Activity
- AWS Successful Console Login Without MFA