AnalysisType: rule
Filename: aws_root_activity.py
RuleID: "AWS.Root.Activity"
DisplayName: "Root Account Activity"
DedupPeriodMinutes: 60
Enabled: true
LogTypes:
- AWS.CloudTrail
Tags:
- AWS
- Identity & Access Management
- DemoThreatHunting
- Privilege Escalation:Valid Accounts
Reports:
CIS:
- 3.3
MITRE ATT&CK:
- TA0004:T1078
Severity: High
Description: >
Root account activity was detected.
Runbook: >
Investigate the usage of the root account. If this root activity was not authorized, immediately change the root credentials and investigate what actions the root account took.
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
SummaryAttributes:
- awsRegion
- eventName
- eventSource
- userAgent
- p_any_aws_account_ids
- p_any_aws_arns
- p_any_ip_addresses
Tests:
- Name: Root Activity - CreateServiceLinkedRole
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "Root",
"principalId": "123456789012",
"arn": "arn:aws:iam::123456789012:root",
"accountId": "123456789012",
"accessKeyId": "1",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "false",
"creationDate": "2019-01-01T00:00:00Z",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "s3.amazonaws.com",
"eventName": "CreateServiceLinkedRole",
"awsRegion": "us-west-2",
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"requestParameters":
{
"bucketName": "bucket",
"versioning": [""],
"host": ["bucket.s3.us-west-2.amazonaws.com"],
"VersioningConfiguration":
{
"Status": "Enabled",
"xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
"MfaDelete": "Enabled",
},
},
"responseElements": null,
"additionalEventData":
{
"SignatureVersion": "SigV4",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"AuthenticationMethod": "AuthHeader",
},
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: Root Activity
ExpectedResult: true
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "Root",
"principalId": "123456789012",
"arn": "arn:aws:iam::123456789012:root",
"accountId": "123456789012",
"accessKeyId": "1",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "false",
"creationDate": "2019-01-01T00:00:00Z",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "s3.amazonaws.com",
"eventName": "PutBucketVersioning",
"awsRegion": "us-west-2",
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"requestParameters":
{
"bucketName": "bucket",
"versioning": [""],
"host": ["bucket.s3.us-west-2.amazonaws.com"],
"VersioningConfiguration":
{
"Status": "Enabled",
"xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
"MfaDelete": "Enabled",
},
},
"responseElements": null,
"additionalEventData":
{
"SignatureVersion": "SigV4",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"AuthenticationMethod": "AuthHeader",
},
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: IAMUser Activity
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "IAMUser",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:user/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"userName": "tester",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "false",
"creationDate": "2019-01-01T00:00:00Z",
},
},
"invokedBy": "signin.amazonaws.com",
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "s3.amazonaws.com",
"eventName": "GetBucketAcl",
"awsRegion": "us-west-2",
"sourceIPAddress": "111.111.111.111",
"userAgent": "signin.amazonaws.com",
"requestParameters":
{
"host": ["bucket.s3.us-west-2.amazonaws.com"],
"bucketName": "bucket",
"acl": [""],
},
"responseElements": null,
"additionalEventData":
{
"SignatureVersion": "SigV4",
"CipherSuite": "ECDHE-RSA-AES128-SHA",
"AuthenticationMethod": "AuthHeader",
"vpcEndpointId": "vpce-1",
},
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
"vpcEndpointId": "vpce-1",
}
- Name: Root User Failed Activity
ExpectedResult: false
Log:
{
"awsRegion": "redacted",
"errorMessage": "Not a valid response for the provided request id: aws_ccV60redacted",
"eventID": "redacted",
"eventName": "ExternalIdPDirectoryLogin",
"eventSource": "signin.amazonaws.com",
"eventTime": "redacted",
"eventType": "AwsConsoleSignIn",
"eventVersion": "1.05",
"p_alert_creation_time": "redacted",
"p_alert_id": "redacted",
"p_alert_update_time": "redacted",
"p_any_aws_account_ids": ["redacted"],
"p_any_aws_arns": [],
"p_any_ip_addresses": ["redacted"],
"p_event_time": "redacted",
"p_log_type": "AWS.CloudTrail",
"p_parse_time": "redacted",
"p_row_id": "redacted",
"p_rule_error": null,
"p_rule_id": "AWS.Root.Activity",
"p_rule_reports": { "CIS": ["3.3"] },
"p_rule_tags": ["AWS", "Identity & Access Management"],
"p_source_id": "redacted",
"p_source_label": "CloudTrail",
"readOnly": false,
"recipientAccountId": "redacted",
"requestID": "redacted",
"responseElements": { "ExternalIdPDirectoryLogin": "Failure" },
"sourceIPAddress": "redacted",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36",
"userIdentity":
{
"accessKeyId": "",
"accountId": "redacted",
"arn": "",
"principalId": "redacted",
"type": "Root",
},
}
- Name: Successful Root Login
ExpectedResult: true
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "Root",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:root",
"accountId": "123456789012",
"userName": "root",
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"requestParameters": null,
"responseElements": { "ConsoleLogin": "Success" },
"additionalEventData":
{
"LoginTo": "https://console.aws.amazon.com/console/",
"MobileVersion": "No",
"MFAUsed": "No",
},
"eventID": "1",
"eventType": "AwsConsoleSignIn",
"recipientAccountId": "123456789012",
}