Triggers

  • An action was taken by the root account.

Possible Root Causes

  • An attacker has compromised the root account and is using the unfettered access it grants to further their attack.
  • Administrators are using the root account for normal activities, which is against best practices and should not be done.

Business Impact

  • Malicious use of the root account indicates significant opportunity for negative impact to organizational assets, services, and data to include disruptive impact and sensitive data loss.
  • Misuse of the root account by admins for routine activities greatly elevates the risk of accidental damage or disruption.

Steps to Verify

  • Review the activity completed by the root account for indications of malicious activity.
  • Validate with the team responsible for administering AWS that they used the root account for an authorized activity.