One of the first steps when creating an Amazon Web Services (AWS) account is to create an identity that has access and control of all AWS resources. This identity is known as the account owner or root user. It is not advisable to use the root account for daily tasks, so you need to create Identity and Access Management (IAM) users who have limited control over the account.
As the root user has a high level of access to take any action on your environment, you need to make sure it is safe.
Implementing strict security protocols in the root account is a must for oganizations. One of the most critical recommendation is not to use this account for every day tasks. However, a recent audit found that the use of the root account occurs in 143 accounts and 65 organizations.
Our Cybersecurity Studio helps clients build safer digital experiences. Understanding security risks and using AWS tools properly ensures your digital enviornment is secured, allowing your organization to focus on developing better services and experiences.
Abigail Kauf, certified AWS security specialist
In this blog, we will explore how to secure your root account.
Basic recommendations
Before diving into coding, we advise you to follow these simple recommendations to protect your root user:
- Do not use a root user for daily tasks. Use your root user only to create an IAM user.
- Do not create an access key for this account unless necessary; delete it if you have an access key.
- If you need a key for this account, generate the periodic rotation.
- Never share the key or password with anyone.
- Use a strong password to protect the security of your account.
- Enable MFA (Multi-factor Authentication) for this account.
How to enable monitoring for the root user with CloudTrail
Securing the root account login attempts is crucial. We will explain how to use the AWS Cloud Trail to audit this security event in the following steps.
You can audit the root user logging attempts in the CloudTrail; the following example shows a logging event:
{
“eventVersion”: “1.05”,
“userIdentity”: {
“type”: “Root”,
“principalId”: “AIDACKCEVSQ6C2EXAMPLE”,
“arn”: “arn:aws:iam::111122223333:root”,
“accountId”: “111122223333”,
“accessKeyId”: “”
},
“eventTime”: “2018-08-29T16:24:34Z”,
“eventSource”: “signin.amazonaws.com”,
“eventName”: “ConsoleLogin”,
“awsRegion”: “us-east-1”,
“sourceIPAddress”: “192.0.2.0”,
“userAgent”: “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0”,
“requestParameters”: null,
“responseElements”: {
“ConsoleLogin”: “Success”
},
“additionalEventData”: {
“LoginTo”: “https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true”,
“MobileVersion”: “No”,
“MFAUsed”: “No”
},
“eventID”: “deb1e1f9-c99b-4612-8e9f-21f93b5d79c0”,
“eventType”: “AwsConsoleSignIn”,
“recipientAccountId”: “111122223333”
}
- To enable the CloudTrail to view the logging activities, you need to create a new trail in the AWS CloudTrail console and select “create a new trail.”
Then, you need to add the trail name, the store location, the name of the folder, and the logs files encryption. Also, you need to specify whether you want to create an AWS KMS key notification and if you need to send the logs to CloudWatch logs.
- You need to select the types of events where you prefer to enable the logs. In this case, management events are enough. Click next.
- In step three, you review the information and select create.
Then, you will see the events in the S3 Bucket defined to store the CloudTrail information.
Security is king
Make sure to give special attention to the security of the root user in AWS. It is best to implement the security recommendation for the Cloud Service Provider. We advise reviewing the security login event of this user account periodically to protect your data and digital ecosystem.
If you want to know more about how we help organizations create safer experiences and adapt to the new digital paradigm, visit our Cybersecurity Studio.
