AWS Account Root User Activity

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: IAM-052

Cloud Conformity monitors and notifies on any root API activity performed within your AWS account. When you sign up for Amazon Web Services, you provide login information (an email address and a password) that is associated with your AWS account. This combination of email address and password represents your AWS root account and its credentials allow full access to all AWS services (including billing information) and resources. Since the root user has complete control over your AWS cloud infrastructure and resources, it is imperative to prevent this privileged user from getting into the wrong hands. Although, Cloud Conformity strongly recommends that you avoid using the AWS root user for your everyday tasks or even for the administrative ones, there are particular actions such as changing the root password, viewing account billing information, changing account payment options, restoring IAM user permissions, transferring a Route 53 domain to another AWS account, etc, that can only be performed by the root user. Therefore, to be certain that all root user activity is authorized and expected, it is vital to monitor root API calls to a given AWS account and to get notifications when this type of activity is detected, via the recipients defined in the Cloud Conformity account settings. The communication channels for sending notifications can be easily configured within Cloud Conformity account. The list of supported communication channels that you can use to receive notification alerts are Slack, SMS, Email, PagerDuty, ServiceNow and Zendesk. Through this detection and notification process, Cloud Conformity RTMA gives you the ability to take any necessary steps when an illegitimate root API activity is detected or it can simply be used for tracking root user activity, required for future auditing needs.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.


Monitoring AWS account root user activity can help your organization to meet security and compliance requirements and enable it to respond fast to any unauthorized root access sessions. As a security best practice, you need to be aware whenever root user activity occurs within your Amazon Web Services account. To achieve and maintain this awareness, you need to enable Cloud Conformity RTMA root API activity monitoring. Because the root user acts like a superuser, anyone who has your root credentials can gain unrestricted access to all resources and services available in your AWS account, including billing information and the ability to change the root password. The most effective way to reduce the risk of unauthorized access and gain real-time visibility into your account root activity is to avoid using the root user credentials for everyday access (to perform high privilege activities, use an admin level IAM user instead) and to monitor each root API call performed within your AWS account.


Publication date Sep 7, 2018

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

AWS Account Root User Activity

Risk level: High