AWS Root Credentials

 1title: AWS Root Credentials
 2id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
 3status: test
 4description: Detects AWS root account usage
 5references:
 6    - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
 7author: vitaliy0x1
 8date: 2020/01/21
 9modified: 2022/10/09
10tags:
11    - attack.privilege_escalation
12    - attack.t1078.004
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection_usertype:
18        userIdentity.type: Root
19    selection_eventtype:
20        eventType: AwsServiceEvent
21    condition: selection_usertype and not selection_eventtype
22falsepositives:
23    - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
24level: medium

References

• AWS account root user - AWS Identity and Access Management

  Manage the root user for an AWS account, including changing its password, and creating and removing access keys.

  
  Read More

Related rules

• AWS Attached Malicious Lambda Layer
• AWS STS AssumeRole Misuse
• AWS STS GetSessionToken Misuse
• AWS Suspicious SAML Activity
• Google Cloud Kubernetes CronJob