Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-cloudtrail-log-detections
Overview
4Dashboards
86Benchmarks
96Queries
1Variables
GitHub

Detection: IAM Root User Console Login

Overview

Detect when the AWS Management Console was accessed by the root user. Root user activity poses significant risks due to its unrestricted administrative privileges, and unnecessary logins may indicate potential misuse or compromised credentials. Ensuring the root account is only used in critical situations helps protect your AWS environment from unauthorized access and enhances security posture.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_cloudtrail_log_detections.detection.iam_root_user_console_login

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_cloudtrail_log_detections.detection.iam_root_user_console_login --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
string_split(event_source, '.')[1] || ':' || event_name as operation,
user_identity.type as resource,
user_identity.arn as actor,
tp_source_ip as source_ip,
tp_index as account_id,
aws_region as region,
tp_id as source_id,
*


from
  aws_cloudtrail_log
where
  event_source = 'signin.amazonaws.com'
  and event_name = 'ConsoleLogin'
  and user_identity.type = 'Root'
  and error_code is null


order by
  event_time desc;

Tags

category = Detections
folder = IAM
mitre_attack_ids = TA0004:T1078.003
plugin = aws
service = AWS/IAM