AWS Root Login Without MFA | Elastic Security Solution [7.9]

The SIEM app is now a part of the Elastic Security solution. Click here to view SIEM documentation for previous releases.

› › ›

« AWS RDS Instance/Cluster Stoppage AWS S3 Bucket Configuration Deletion »

AWS Root Login Without MFAedit

Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.

Rule type: query

Rule indices:

filebeat-*

Severity: low

Risk score: 21

Runs every: 10 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html

Tags:

AWS
Elastic
SecOps
Identity and Access
Continuous Monitoring

Version: 1

Added (Elastic Stack release): 7.9.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

Some organizations allow root-user logins without MFA, however this is not considered best practice by AWS and increases the risk of compromised credentials.

Investigation guideedit

The AWS Filebeat module must be enabled to use this rule.

Rule queryedit

event.module:aws and event.dataset:aws.cloudtrail and
event.provider:signin.amazonaws.com and event.action:ConsoleLogin and
aws.cloudtrail.user_identity.type:Root and
aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and
event.outcome:success

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/

« AWS RDS Instance/Cluster Stoppage AWS S3 Bucket Configuration Deletion »