Control: Ensure a log metric filter and alarm exist for usage of 'root' account
Description
You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.log_metric_filter_root_loginSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.log_metric_filter_root_login --shareSQL
This control uses a named query:
with trails as ( select trail.account_id, trail.name as trail_name, trail.is_logging, split_part(trail.log_group_arn, ':', 7) as log_group_name from aws_cloudtrail_trail as trail, jsonb_array_elements(trail.event_selectors) as se where trail.is_multi_region_trail is true and trail.is_logging and se ->> 'ReadWriteType' = 'All' and trail.log_group_arn is not null order by trail_name),alarms as ( select metric_name, action_arn as topic_arn from aws_cloudwatch_alarm, jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn order by metric_name),topic_subscriptions as ( select subscription_arn, topic_arn from aws_sns_topic_subscription order by subscription_arn),metric_filters as ( select filter.name as filter_name, filter_pattern, log_group_name, metric_transformation_name from aws_cloudwatch_log_metric_filter as filter where filter.filter_pattern ~ '\s*\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' order by filter_name),filter_data as ( select t.account_id, t.trail_name, f.filter_name from trails as t join metric_filters as f on f.log_group_name = t.log_group_name join alarms as alarm on alarm.metric_name = f.metric_transformation_name join topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn)select distinct 'arn:' || a.partition || ':::' || a.account_id as resource, case when f.trail_name is null then 'alarm' else 'ok' end as status, case when f.trail_name is null then 'No log metric filter and alarm exist for usage of "root" account.' else filter_name || ' forwards events for usage of "root" account.' end as reason , a.account_idfrom aws_account as a left join filter_data as f on a.account_id = f.account_id;