What the best practice of securing AWS root account? - Not using it at all!
Let's clean it up first:
- remove any API key associated with root account
- reset root password and change email assoicated
- enable MFA (or deactivate previous and create new) on the root account.
Start using IAM:
- Copy/bookmark/save IAM sign-in url
- create required users including one with AdministratorAccess policy attached.
- Enable MFA on all users created
Secure root account:
- Print you root account credentials.
- Log in using printed credentials to ensure that it works.
- Put in tamper evident envelope
- Add some signatures, stamps or voodoo on envelope.
- Hide it in SafeBox
- Use it only in case of emergency :-)
Now let's add some monitoring just in case:
- Enable and configure CloudTrail + bucket for Logs
- Configure CloudWatchLogs (CloudWatch) to process CloudTrail logs
- Add metric filters to detect root-user related events
- Set-up alarm and notifications (SNS) for the metrics
For root users CloudWatchLog metric filter looks like:
I did everything mentioned above and was ,let's say, "surprised" to get months after notification saying "Root log-in detected" . Checked CloudTrail looking for the root user - nothing....Hmm.. Start looking into CloudTrailLogs content for the detailed row events and found this:
"eventVersion": "1.02", "userIdentity": { "type": "Root", "principalId": "577343344455", "arn": "arn:aws:iam::577343344455:root", "accountId": "5577343344455", "userName": "my_company", "invokedBy": "support.amazonaws.com" }, "eventTime": "2016-03-22T19:22:23Z", "eventSource": "iam.amazonaws.com", "eventName": "GetAccountSummary", "awsRegion": "us-east-1", "sourceIPAddress": "support.amazonaws.com", "userAgent": "support.amazonaws.com", "requestParameters": null, "responseElements": null, "requestID": "675d-fxx3-1x5-9xxd-4768xxx17", "eventID": "b9xxxxfcaf-3xx7-4xxd-a220-exxxx8", "eventType": "AwsApiCall", "recipientAccountId": "577343344455"
Dear AWS support - you got me :-))
