0Pricing
AWS Security Academy · Lesson

Detecting Root Account Usage

Build an alarm that fires the moment the root user is active.

Why the Root User Is Special

The root user is the account owner identity created when an AWS account is opened, and it has unrestricted access to every action and resource. It cannot be limited by IAM policies or SCPs. Because of this power, any use of the root user is a high-signal security event worth alerting on immediately.

Best Practice: Lock It Away

AWS guidance is to use the root user only for the handful of tasks that require it, then never again. You should enable MFA on root, remove its access keys entirely, and create IAM identities or Identity Center users for daily work. After lock-down, legitimate root activity should be rare and planned.

All lessons in this course

  1. Collecting Logs into CloudWatch
  2. Metric Filters for Security Events
  3. Creating Alarms and Notifications
  4. Detecting Root Account Usage
← Back to AWS Security Academy