Skip to main content
Sumo Logic

Lab 12 - Monitor AWS Root Account Usage for compliance

Explore the functionality of LogCompare, which allows you to compare log activity from two different time periods, providing you insight on how your current time compares to a baseline.
Eliminating the use of the root account is a security best practice, because root has unrestricted access to resources in your account.  An organization using AWS should be made aware of ANY root activity within their AWS environment to see if it is malicious or safe. A compliance auditor will often look for this activity and want an organization to confirm they're not using this account or justify why they used root.
In this lab you are looking for root activity within AWS by using CloudTrail. Then you will compare your results with others, using our Global Intelligence dashboards.

 

  1. Root accounts are usually kept in a safe and only used in emergency scenarios. A compliance auditor wants to know if you are using root and and be able to show them the proof that each time someone used a root account you were well aware. Run this query for the last 24 hours to see information about who is running root, and for what purpose.  

_sourceCategory=Labs/AWS/CloudTrail and root
| json "eventType", "eventName", "eventSource", "sourceIPAddress", "userIdentity", "responseElements" nodrop
| json field=userIdentity "type", "arn" nodrop
| where type="Root"
| formatDate(_messageTime, "yy-MM-dd HH:mm:ss") as date
| count date, eventname, eventtype, sourceipaddress, type, arn
| sort date



Screen Shot 2020-08-25 at 7.48.30 PM.png
 

  1. Would you like to take this a step further using our Global Intelligence? Let's take your lab data, such as this event, and compare it with other users. Let's add the two lines of code to the bottom of the that will give us in any given second how many max logins occurred and its percentile.  Also comment out the sort as it is no longer necessary.

_sourceCategory=Labs/AWS/CloudTrail and root

| json "eventType", "eventName", "eventSource", "sourceIPAddress", "userIdentity", "responseElements" nodrop

| json field=userIdentity "type", "arn" nodrop

| where type="Root"

| formatDate(_messageTime, "yy-MM-dd HH:mm:ss") as date

| count date, eventname, eventtype, sourceipaddress, type, arn
| count by date // added for GI, 
| max(_count),pct(_count,99) // added for GI, in any given second how many max logins and percentile

//| sort date

  1. The result for last 24 hours would look similar to this. In any given second, the maximum number of logins is provided under _max and the percentile is provided under _count_pct_99.

Screen Shot 2020-07-09 at 1.24.26 PM.png

  1. Let's go and see how we compare with other users. Click ...