IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« AWS RDS Snapshot Restored AWS Route 53 Domain Transfer Lock Disabled »

› › ›

AWS Root Login Without MFA

edit

AWS Root Login Without MFA

edit

Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.

Rule type: query

Rule indices:

filebeat-*
logs-aws*

Severity: high

Risk score: 73

Runs every: 10 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html

Tags:

Elastic
Cloud
AWS
Continuous Monitoring
SecOps
Identity and Access

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.13.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials.

Investigation guide

edit

## Config

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com
and event.action:ConsoleLogin and
aws.cloudtrail.user_identity.type:Root and
aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and
event.outcome:success

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/

Rule version history

edit

Version 5 (7.13.0 release)

Formatting only

Version 4 (7.12.0 release)

Formatting only

Version 3 (7.11.2 release)

Formatting only

Version 2 (7.10.0 release)

Updated query, changed from:

event.module:aws and event.dataset:aws.cloudtrail and
event.provider:signin.amazonaws.com and event.action:ConsoleLogin and
aws.cloudtrail.user_identity.type:Root and
aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and
event.outcome:success

« AWS RDS Snapshot Restored AWS Route 53 Domain Transfer Lock Disabled »