Control: Ensure a log metric filter and alarm exist for usage of 'root' account
Description
You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.log_metric_filter_root_login
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.log_metric_filter_root_login --share
SQL
This control uses a named query:
log_metric_filter_root_login