Triggers
- An action was taken by the root account.
Possible Root Causes
- An attacker has compromised the root account and is using the unfettered access it grants to further their attack.
- Administrators are using the root account for normal activities, which is against best practices and should not be done.
Business Impact
- Malicious use of the root account indicates significant opportunity for negative impact to organizational assets, services, and data to include disruptive impact and sensitive data loss.
- Misuse of the root account by admins for routine activities greatly elevates the risk of accidental damage or disruption.
Steps to Verify
- Review the activity completed by the root account for indications of malicious activity.
- Validate with the team responsible for administering AWS that they used the root account for an authorized activity.