This project is part of my #100DaysOfCybersecurity Challenge.
The goal is to detect and respond to AWS root account usage, which is one of the most sensitive and high-risk actions in any AWS environment; using CloudTrail, SNS, and EventBridge.
β
Simulate sensitive activity from the AWS root account
β
Detect the root account login using CloudTrail
β
Trigger an SNS alert via EventBridge when the root account is used
- AWS Management Console
- CloudTrail
- SNS (Simple Notification Service)
- EventBridge (formerly CloudWatch Events)
- S3 (for storing CloudTrail logs)
- Performed login using the root account for simulation.
- Sensitive Action: Enabled Multi-Factor Authentication (MFA).
- This ensures CloudTrail logs the root account activity.
- Created a trail:
root-account-monitoring-trail - Configured to log all management events to an S3 bucket
server-logstash.
- Confirmed that CloudTrail logs are stored in the S3 bucket.
- Topic:
root-account-alerts - Subscribed my email to receive alerts and confirmed the subscription.
- Created a rule:
root-account-usage-alert - Event Pattern:
{
"source": ["aws.signin"],
"detail-type": ["AWS Console Sign In via CloudTrail"],
"detail": {
"userIdentity": {
"type": ["Root"]
}
}
}
- Logged in again as root
- Received SNS alert via email
- CloudTrail Logs: Confirmed root account sign-in recorded in CloudTrail.
- SNS Alert: Email received within seconds of login.
- Root account usage should always be monitored.
- CloudTrail + EventBridge + SNS provides near real-time alerting for sensitive actions.
- Alerts like this are essential for detecting unauthorized root account use.
- Extend this to monitor other sensitive activities (e.g., IAM policy changes).
π©βπ» Chukwu PraiseGod
Follow my journey: X | LinkedIn