How do I create an EventBridge rule for AWS account root user login alerts?

5 minute read

As part of my account security, I want to receive email notifications when someone uses the AWS Management Console to access my AWS account root user.

Resolution

To monitor account root user login activity, create an Amazon EventBridge rule that monitors the userIdentity element in AWS CloudTrail logs. The EventBridge rule uses Amazon Simple Notification Service (Amazon SNS) to send notifications when the root user signs in to the AWS Management Console.

For CloudTrail to send API calls to EventBridge, you must create a trail in the same AWS Region as the EventBridge rule. Configure the trail's management events as Read and Write or only Write.

To create the EventBridge rule and SNS topic, you can use Amazon SNS and EventBridge. Or, use AWS CloudFormation.

Use Amazon SNS and EventBridge

Create an Amazon SNS topic and subscription

Complete the following steps:

Create an Amazon SNS topic.
Subscribe an endpoint to the topic.
Check your email inbox for the AWS confirmation email.
In the email, choose Confirm subscription to confirm the SNS subscription request. You then receive a "Subscription confirmed!" message.

Create an EventBridge rule

Complete the following steps:

Open the EventBridge console in the US East (N. Virginia) Region.
In the navigation pane, choose Rules, and then choose Create rule.
For Name and Description, enter a name and description for the rule.
For Rule type, choose Rule with an event pattern, and then choose Next.
For Event source, choose AWS events or EventBridge partner events.
Under Event pattern, choose Custom pattern (JSON editor).

In the Event pattern JSON editor, enter the following root user login pattern:

{

"detail-type": ["AWS Console Sign In via CloudTrail"],

"detail": {

"userIdentity": {

"type": ["Root"]

}

}

}

Choose Next.
Configure the following settings for your target:
For Target types, choose AWS service.
For Select a target, choose SNS topic.
For Topic, select the topic that you created.
Choose Next.
(Optional) Add tags to the rule.
Choose Next.
Review the rule's details, and then choose Create rule.

Use CloudFormation

Create the CloudFormation template

To create the EventBridge rule and SNS topic, enter the following YAML template into a text editor, and then save the file:

# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

AWSTemplateFormatVersion: '2010-09-09'
Description: ROOT-AWS-Console-Sign-In-via-CloudTrail
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Amazon SNS parameters
      Parameters:
      - Email Address
Parameters:
  EmailAddress:
    Type: String
    ConstraintDescription: Email address required.
    Description: Enter an email address you want to subscribe to the Amazon SNS topic
      that will send notifications if your account's AWS root user logs in.
Resources:
  RootActivitySNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: ROOT-AWS-Console-Sign-In-via-CloudTrail
      Subscription:
      - Endpoint:
          Ref: EmailAddress
        Protocol: email
      TopicName: ROOT-AWS-Console-Sign-In-via-CloudTrail
  EventsRule:
    Type: AWS::Events::Rule
    Properties:
      Description: Events rule for monitoring root AWS Console Sign In activity
      EventPattern:
        detail-type:
        - AWS Console Sign In via CloudTrail
        detail:
          userIdentity:
            type:
            - Root
      Name:
        Fn::Sub: "${AWS::StackName}-RootActivityRule"
      State: ENABLED
      Targets:
      - Arn:
          Ref: RootActivitySNSTopic
        Id: RootActivitySNSTopic
    DependsOn:
    - RootActivitySNSTopic
  RootPolicyDocument:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: RootPolicyDocument
        Version: '2012-10-17'
        Statement:
        - Sid: RootPolicyDocument
          Effect: Allow
          Principal:
            Service: events.amazonaws.com
          Action: sns:Publish
          Resource:
          - Ref: RootActivitySNSTopic
      Topics:
      - Ref: RootActivitySNSTopic
Outputs:
  EventsRule:
    Value:
      Ref: EventsRule
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-RootAPIMonitorEventsRule"
    Description: Event Rule ID.

Create the CloudFormation stack

Use the CloudFormation console to create the CloudFormation stack. On the Create stack page, choose Upload a template file to upload the template that you created. On the Configure stack options page, under Notifications options, enter the email address that you want AWS to send notifications to.

Test your SNS setup

Complete the following steps:

Sign out of the AWS Management Console, and then sign in to the AWS Management Console as the account root user.
Check your email inbox for an AWS notification.
Note the userIdentity, sourceIPAddress, and MFAUsed CloudTrail records that contain details about the login event.

Note: To no longer receive notifications, delete the CloudFormation stack that you created.

Related information

How to receive notifications when your AWS account's root access keys are used

Monitor and notify on AWS account root user activity

AWS::CloudWatch::Alarm

Topics: Security, Identity, & Compliance
Tags: AWS Identity and Access Management
Language: English

AWS OFFICIALUpdated a month ago

2 Comments

This post seems to assume that some CloudTrail already exists, and makes no mention of how that is setup.

Before the steps even begin, its says:

Important: Before you begin, make sure that you set your AWS CloudTrail Management read and write events to All or Write-only. This allows the EventBridge events to initiate the log-in event notification.

But how/where is this done if the account has not CloudTrail trails yet?

Paul

replied 8 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

MODERATOR

AWS Official

replied 8 months ago

Relevant content

Root login alert
Abdul Malik
asked 2 years ago
How as a root or IAM user do I access multiple organizations under my AWS hierarchy with one single user login
Edwin
asked a year ago
Root User Login
rePost-User-2142505
asked 2 years ago
Root Login Option in China Region
Aman
asked 2 years ago
Root user login issue
Hemalatha
asked 9 months ago
How do I gain access as an AWS account root user to accounts created by Account Factory or Account Vending Machine in AWS Control Tower?
AWS OFFICIALUpdated a year ago
How can I get notified when IAM changes are made to my AWS account?
AWS OFFICIALUpdated a year ago
How do I troubleshoot issues with cross-account or cross-Region EventBridge rules?
AWS OFFICIALUpdated 7 months ago
How do I reset a lost or broken MFA device for my IAM user or AWS account root user?
AWS OFFICIALUpdated 6 days ago
A step-by-step guide to cross-account and cross-region events with EventBridge
EXPERT
Antonio Lagrotteria
published 2 years ago