Skip to main content

Suspicious use of AWS APIs with root account credentials

ID:aws_root_access_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
High
MITRE ATT&CK:TA0001:T1078.004

Description

AlphaSOC detected a login to the AWS root account. Using the AWS root user for anything beyond administrative tasks creates a significant risk due to its unlimited privileges.

Impact

Unrecognized login into the AWS root user account may indicate malicious activity. Compromised root credentials can grant unauthorized users control over cloud resources, allowing them to delete, modify or steal important data, and possibly cover their activity by deleting logs.

Severity

SeverityCondition
Informational
Root account login detected
Low
Unexpected action, ASN, user agent or region
Medium
Two unexpected properties at the same time
Medium
Login with access key ID indicating use of long-term credentials
High
Three unexpected properties at the same time

Investigation and Remediation

In the event of unauthorized root usage, immediately reset the root credentials. Disable existing access keys for root user.

Known false positives

  • A user login from a new browser
  • A user login from a new location (e.g., over a VPN)
  • Automated scripts or tools that haven't been updated to use IAM roles instead of root credentials