Eliminating the use of the root account is a security best practice, because root has unrestricted access to resources in your account. An organization using AWS should be made aware of ANY root activity within their AWS environment to see if it is malicious or safe. A compliance auditor will often look for this activity and want an organization to confirm they're not using this account or justify why they used root.
In this lab you are looking for root activity within AWS by using CloudTrail data. You will be using where filters, formating with formatDate and sort, and aggregating by count.
Root account compliance
Root accounts are usually kept in a safe and only used in emergency scenarios. A compliance auditor wants to know if you are using root and and be able to show them the proof that each time someone used a root account you were well aware. Run this query for the Last 24 Hours to see information about who is running root, and for what purpose.
_sourceCategory=Labs/AWS/CloudTrail and (root or su or sudo)
| json "eventType", "eventName", "eventSource", "sourceIPAddress", "userIdentity", "responseElements" nodrop
| json field=userIdentity "type", "arn" nodrop
| where type="Root"
| formatDate(_messageTime, "yy-MM-dd HH:mm:ss") as date
| count date, eventname, eventtype, sourceipaddress, type, arn
| sort date
Note that different event names may be assigned at different levels of interest in the case of an audit. For example, 'Decrypt' maybe an indicator of access to highly sensitive data. "CreateFunction" may be an indicator of a significant change to the API or application being monitored. Assigning priorities may allow those critical events to be more easily monitored when added to a dashboard.
Amazon Resource Names (ARNs) uniquely identify AWS resources. AWS require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.
Quiz (True or False?)
- You can parse
| json field=userIdentity "type", "arn" nodropwithout first running
| json "eventType", "eventName", "eventSource", "sourceIPAddress", "userIdentity", "responseElements" nodrop.
In some countries like European and Latin America the formatDate operator would be used like | formatDate(now(),"dd-MM-yyyy") as today.
Congratulations! You’ve completed these tasks:
Learned how to monitor root for auditors.
Parsed using JSON with fields and without.
Applied the use of formating operators.