If you follow this best practice, though, how can you monitor for root activity and take action if such activity occurs? CloudTrail also provides a simple way to integrate with CloudWatch.
You can combine these three services in such a way that SNS will send you an email when CloudTrail detects root access key activity in your AWS account. The following illustration shows the steps in setting up this process.
The first step is to authorize CloudTrail to deliver its logs to CloudWatch. You complete this in the CloudTrail console.
In this step you also create or select a CloudWatch Logs log group that will receive your logs from CloudTrail. In steps 2 through 4, you use the CloudWatch console to create a filter that detects root account usage, specify the parameters under which that usage will trigger an alarm, and provide an email address where you will receive alarm notifications.
In step 5, you test the alarm by taking some AWS action with your root credentials for example, by running an instance in the Amazon EC2 console. In a real scenario, you would use this information to take corrective actions or investigate further. You enable CloudTrail per region, for all of the services in that region.
For the steps, see Creating a Trail in the CloudTrail documentation. In this case, your filter will detect direct usage of your root account.
If Metric Value does not appear, click Show advanced metric settings first. Now, create and specify thresholds for your alarm, and an email address to which an SNS notification will be sent whenever your alarm is triggered. However, you might want to change the RootAccountUsageCount in 2 to be greater than one, depending on your requirements.
To test your alarm, perform some activity with your root account. In my case, after starting with an Amazon EC2 instance, I received the following email. The notification tells me that my root account access key was used in the US East N.
When I expand the event, I get even more information. The CloudTrail log shows the IP address of the caller and the access key obscured in the screenshotand you can use these to take further actions—potentially by opening a trouble ticket at your company or by deactivating or deleting the access key for your root account.
You can also use a downloadable CloudFormation template to set up alarms easily for common security scenarios. If there are filters and alarms that you would like to see that we have not yet documented, please visit the CloudTrail Forum and let us know. Want more AWS Security how-to content, news, and feature announcements?
Follow us on Twitter. Open the CloudWatch console. In the navigation pane, click Logs.
In the list of log groups, select the check box next to the log group that you created for CloudTrail log events. Click Create Metric Filter.
Assign a metric Next, give your filter a name and assign a metric. Click Metric Valueand then type 1.
When you are finished, click Create Filter. Create an alarm Now, create and specify thresholds for your alarm, and an email address to which an SNS notification will be sent whenever your alarm is triggered.
On the Create Alarm page, provide values for the numbered fields shown in the following annotated screenshot; the table following the screenshot contains the values that I used to create the alarm.
The Email list box appears, but first type a unique topic name for the list.
You will receive an email at this address to confirm that you created this alarm. When you are finished, click Create Alarm.
You will be asked to confirm your email address. In the email that you receive, click Confirm Subscription.
Charming receive used to it porn clips
In the confirmation dialog, a green arrow appears next to your email address. Test the alarm and receive an SNS notification To test your alarm, perform some activity with your root account.
Look up the event and take corrective actions The notification tells me that my root account access key was used in the US East N. Where to learn more Here are some valuable resources for managing access keys: Give us your feedback!
Near the Select a notification list box, click New list. In the Email list box, type the email address to which you want notifications sent. The pipes used for this purpose must be constructed of metal, or other material No contrivance may be used for cooling the liquid which receives the Vapors to.