Suspicious use of AWS APIs with root account credentials
ID:aws_root_access_suspicious
Data type:AWS CloudTrail
Severity:
Informational
- High
MITRE ATT&CK:TA0001:T1078.004
Description
AlphaSOC detected a login to the AWS root account. Using the AWS root user for anything beyond administrative tasks creates a significant risk due to its unlimited privileges.
Impact
Unrecognized login into the AWS root user account may indicate malicious activity. Compromised root credentials can grant unauthorized users control over cloud resources, allowing them to delete, modify or steal important data, and possibly cover their activity by deleting logs.
Severity
Severity | Condition |
---|---|
Informational | Root account login detected |
Low | Unexpected action, ASN, user agent or region |
Medium | Two unexpected properties at the same time |
Medium | Login with access key ID indicating use of long-term credentials |
High | Three unexpected properties at the same time |
Investigation and Remediation
In the event of unauthorized root usage, immediately reset the root credentials. Disable existing access keys for root user.
Known false positives
- A user login from a new browser
- A user login from a new location (e.g., over a VPN)
- Automated scripts or tools that haven't been updated to use IAM roles instead of root credentials