Knowledge BasePanther.comRelease NotesDemo Request
Search…
Overview
Quick Start
Data Sources & Transports
Writing Detections
Rules
Policies
Testing
Alert Summaries
Detection Packs
Caching
Data Models
Global Helper Functions
Report Mapping
Panther Developer Workflows: Detections
Triaging Alerts
Alert Runbooks
Built-in Policies
Built-in Rules
AWS CloudTrail Modified
AWS Config Service Modified
AWS Console Login Failed
AWS Console Login Without MFA
AWS EC2 Gateway Modified
AWS EC2 Network ACL Modified
AWS EC2 Route Table Modified
AWS EC2 SecurityGroup Modified
AWS EC2 VPC Modified
AWS IAM Policy Modified
AWS KMS CMK Loss
AWS Root Activity
AWS S3 Bucket Policy Modified
AWS Unauthorized API Call
Cloud Security Scanning
Destinations
Data Analytics
Enrichment (Beta)
System Configuration
Panther API (Beta)
Guides
Help
Powered By GitBook
AWS Root Activity
This rule monitors for any activity performed by the AWS root account.
Risk
Remediation Effort
High
Low / High
Best practice dictates to not use the root account unless absolutely necessary, as it has complete access to everything within the account. Instead service roles and IAM users should be created which grant the least amount of privilege needed to perform a certain task. This rule supplements this practice by ensuring the root account is not used for anything.
Remediation
Verify that use of the root account was authorized, as there are a small number of tasks which require it. If use was not authorized, revoke access to the root account immediately and change the password. If MFA was enabled, rotate the MFA device as it may be compromised. Perform an extensive review of activities performed by the root account.
References
  • CIS AWS Benchmark 3.3: "Ensure a log metric filter and alarm exist for usage of "root" account"
Previous
AWS KMS CMK Loss
Next
AWS S3 Bucket Policy Modified
Last modified 1yr ago
Copy link