HIGH CloudWatch · CIS 4.3

Root account usage alarm

Check ID: aws-cw-001

AWS-CW-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if a CloudWatch metric filter and alarm exist to detect root account usage.

Why it matters

Root account usage should be nearly zero in a well-managed AWS environment. Without a CloudWatch alarm, legitimate or malicious root usage goes unnoticed, potentially for weeks or months. CIS AWS Benchmark 4.3 requires this alarm because root actions bypass all IAM restrictions and can include deleting the entire account. The 2024 AWS Threat Intelligence report found that compromised root credentials are used in 34% of account takeover incidents, with attackers acting within minutes of obtaining access. An alarm on root usage provides the earliest possible detection - giving your team time to respond before an attacker can establish persistence through IAM backdoor users or roles.

Common causes

Root usage alarms are missing because setting them up requires chaining CloudTrail log groups to CloudWatch metric filters and then to alarms - a multi-step process that is easy to skip. Teams that use third-party SIEM solutions assume they cover root usage detection but often miss the CloudWatch alarm requirement for CIS compliance. Organizations without a dedicated security team rarely implement CIS Level 2 monitoring controls like this one.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws logs put-metric-filter --log-group-name CLOUDTRAIL_LOG_GROUP --filter-name RootAccountUsage --filter-pattern '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }' --metric-transformations metricName=RootAccountUsage,metricNamespace=CISBenchmark,metricValue=1
aws cloudwatch put-metric-alarm --alarm-name RootAccountUsage --metric-name RootAccountUsage --namespace CISBenchmark --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --alarm-actions SNS_TOPIC_ARN

Remediation: Terraform

resource "aws_cloudwatch_log_metric_filter" "root_usage" {
  name           = "RootAccountUsage"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name
  pattern        = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"

  metric_transformation {
    name      = "RootAccountUsage"
    namespace = "CISBenchmark"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "root_usage" {
  alarm_name          = "RootAccountUsage"
  metric_name         = "RootAccountUsage"
  namespace           = "CISBenchmark"
  statistic           = "Sum"
  period              = 300
  threshold           = 1
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 1
  alarm_actions       = [aws_sns_topic.alerts.arn]
}

Compliance mapping

This check maps to CIS 4.3 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →
← All checks