Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected an AWS root account authentication session.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Real-Time Threat Monitoring.
When you sign up for Amazon Web Services, you provide login information (an email address and a password) that is associated with your AWS account. This combination of email address and password represents your AWS root account and its credentials allow complete access to all your AWS services and resources.
Cloud Conformity strongly recommends that you avoid using the AWS root user for your everyday tasks or even for the administrative ones. With Cloud Conformity RTMA root logon detection you will gain real-time visibility into your AWS root account login activity and help you respond fast to any unauthorized access sessions or potential security breaches.
Rationale
Monitoring your root login activity is crucial for keeping your Amazon Web Services account safe. Since the root user acts like a superuser, anyone who has your root credentials can gain unrestricted access to all the resources and services within your AWS environment, including billing information and the ability to change the root password.
The most effective way to reduce the risk of unauthorized access to your AWS account is to avoid sharing the root credentials with other members within your organization and stop using them for everyday access. Instead, the best practice is to provide access to your AWS services and resources through individual IAM users (managed by IAM groups) or programmatically through IAM roles. Using individual IAM users and roles (with specific set of permissions) will eliminate the risk of compromising your root account credentials.
Ideally, the root user will be used only to create an administrator, basically an IAM user with full permissions to your AWS account. And this administrator user should be utilized to create and configure other IAM users and roles with limited permissions that implement the principle of least privilege (i.e. the practice of providing every IAM user the minimal amount of access required to perform its tasks).
References
- AWS Documentation
- IAM Best Practices
- Identities (Users, Groups, and Roles)
- The Account Root User
- IAM Users
- IAM Groups
- IAM Roles
- AWS Blog(s)
- Adhere to IAM Best Practices in 2016