AWS Root User Account Security with Intelligent Notifications

Safeguarding your AWS account's root user is paramount. The root user possesses unparalleled access and control over all resources, making it a prime target for potential security breaches.

To mitigate risks and stay ahead of unauthorized activities, AWS offers an ingenious solution - creating an EventBridge event rule to notify you when the root user account is accessed. In this blog post, we delve into the reasons for utilizing this notification and provide a guide to set up this essential CloudFormation process.

Reasons for Using Root User Activity Notifications

1. Unprecedented Account Access: The AWS root user holds the keys to the kingdom, granting unrestricted access to all resources. Being the highest authority, any malicious intrusion can cause severe damage. With notifications, you stay vigilant against potential threats in real-time.
2. Immediate Threat Detection: Timely notifications enable rapid response to unauthorised logins. You can promptly investigate suspicious activities and take appropriate actions, preventing security breaches and data compromise.
3. Enhanced Security Compliance: For industries with strict security requirements, monitoring root user activity is often a compliance mandate. Notifications provide an audit trail, ensuring adherence to security standards.

Setting Up AWS CloudFormation for Root User Notifications

1. YAML Template Preparation: Copy the provided YAML template into your editor and save it. This template will help establish an Amazon SNS topic for notifications. Scroll to the end of this article to view the example yaml file.
2. Launch CloudFormation Stack: Access the CloudFormation console in the US East (N. Virginia) Region and create a new stack. Upload the saved template and enter meaningful details, such as the stack name and your email address.
3. Confirm SNS Subscription: AWS sends a confirmation email to your provided email address. Confirm the subscription to activate SNS notifications.
4. Test and Monitor: Log out of the AWS Management Console and log in using your AWS root user account. You should receive an email notification confirming the successful setup.

Conclusion

The AWS root user is the heart of your account's security, and timely notifications act as vigilant guardians against potential security threats.

For a process which takes less than 5 minutes, creating an EventBridge event rule through CloudFormation, you elevate the security of your AWS root user account.

Stay proactive and safeguard your cloud infrastructure with intelligent notifications for root user activity.

Example ROOT-AWS-Console-Sign-In-via-CloudTrail

# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

AWSTemplateFormatVersion: '2010-09-09'
Description: ROOT-AWS-Console-Sign-In-via-CloudTrail
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Amazon SNS parameters
      Parameters:
      - Email Address
Parameters:
  EmailAddress:
    Type: String
    AllowedPattern: "^[\\x20-\\x45]?[\\w-\\+]+(\\.[\\w]+)*@[\\w-]+(\\.[\\w]+)*(\\.[a-z]{2,})$"
    ConstraintDescription: Email address required.
    Description: Enter an email address you want to subscribe to the Amazon SNS topic
      that will send notifications if your account's AWS root user logs in.
Resources:
  RootActivitySNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: ROOT-AWS-Console-Sign-In-via-CloudTrail
      Subscription:
      - Endpoint:
          Ref: EmailAddress
        Protocol: email
      TopicName: ROOT-AWS-Console-Sign-In-via-CloudTrail
  EventsRule:
    Type: AWS::Events::Rule
    Properties:
      Description: Events rule for monitoring root AWS Console Sign In activity
      EventPattern:
        detail-type:
        - AWS Console Sign In via CloudTrail
        detail:
          userIdentity:
            type:
            - Root
      Name:
        Fn::Sub: "${AWS::StackName}-RootActivityRule"
      State: ENABLED
      Targets:
      - Arn:
          Ref: RootActivitySNSTopic
        Id: RootActivitySNSTopic
    DependsOn:
    - RootActivitySNSTopic
  RootPolicyDocument:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: RootPolicyDocument
        Version: '2012-10-17'
        Statement:
        - Sid: RootPolicyDocument
          Effect: Allow
          Principal:
            Service: events.amazonaws.com
          Action: sns:Publish
          Resource:
          - Ref: RootActivitySNSTopic
      Topics:
      - Ref: RootActivitySNSTopic
Outputs:
  EventsRule:
    Value:
      Ref: EventsRule
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-RootAPIMonitorEventsRule"
    Description: Event Rule ID.