Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureAuto Checks Integration Guide for AzureAuto Checks Integration Guide for GCP
AWS Auto Checks Detailed Explanations
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Configure a log metric filter and alarm for root account usage

Framework Reference: A.8.16 (Monitoring Activities) Integration: AWS โ€“ CloudTrail + CloudWatch

Why this matters

The root account in AWS holds the highest level of privileges. Any usage of this account should be rare, deliberate, and well-documented. Unexpected or frequent root activity is often a sign of misconfiguration or compromise.

Setting up real-time monitoring allows your security team to detect when the root account is used and to take immediate action if needed. CloudWatch alarms tied to CloudTrail logs provide the necessary visibility and speed of response.

What this check does

This check verifies that:

A CloudWatch metric filter is configured to monitor for root account usage

An alarm is connected to this filter and is actively configured to alert on detection

It passes when both components are in place and properly scoped to capture relevant root-level events from CloudTrail logs.

How to fix it

Using AWS CLI

Create a CloudWatch metric filter to match root user events:

aws logs put-metric-filter \  --log-group-name <trail-log-group-name> \  --filter-name root-account-usage \  --metric-transformations metricName=RootAccountUsage,metricNamespace=Security,metricValue=1 \  --filter-pattern '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }' 

Create an SNS topic to receive alarm notifications:

aws sns create-topic --name root-account-usage-alerts

Subscribe a recipient to the SNS topic:

aws sns subscribe \  --topic-arn <sns-topic-arn> \  --protocol email \  --notification-endpoint security-team@example.com

Create the alarm in CloudWatch:

aws cloudwatch put-metric-alarm \  --alarm-name RootAccountUsageAlarm \  --metric-name RootAccountUsage \  --namespace Security \  --statistic Sum \  --period 300 \  --threshold 1 \  --comparison-operator GreaterThanOrEqualToThreshold \  --evaluation-periods 1 \  --alarm-actions <sns-topic-arn>

Replace all placeholder values with those specific to your environment.

Exceptions

If root account usage is entirely disabled or monitored through a centralized SIEM, this check may not apply. In such cases, documentation must confirm that equivalent monitoring and alerting measures are in place.

Further Resources

CloudTrail Multi-Region Logging

Creating CloudWatch Alarms from CloudTrail Logs

Subscribe to an Amazon SNS Topic

Was this article helpful?

Powered by Product Fruits