|
Valid Accounts: Account Root User
AWS Specific Sub-Technique
Other sub-techniques of Valid Accounts (4)
| ID | Name |
|---|---|
| T1078.A002 | Account Root User |
| T1078.A001 | IAM Users |
AWS Specific Content
A prerequisite for this technique is that a threat actor has already gained control of an AWS account root user.
This technique identifies when a threat actor uses the root user to perform unauthorized actions. When you first create an Amazon Web Services (AWS) account, you begin with an identity that has complete access to the AWS services and resources in the account. This identity is called the AWS account root user. The email address and password that you used to create your AWS account are the credentials you use to sign in as your root user. The account root user has complete access to the AWS services and resources in the account, and if compromised by a threat actor, would give the adversary complete access to the AWS account.
Detection
AWS Specific Content
Amazon GuardDuty has detections in place for when the credentials of a root user are used to perform an action within an AWS account. You can also follow AWS Prescriptive Guidance to configure workflows to monitor for root user activity in an AWS account. In some instances, threat actors have created IAM users with the name root - this is not the same as the account root user and is a different user type.
Mitigation
AWS Specific Content
Follow the root user best practices for your AWS account, which include securing your root user credentials to help prevent unauthorized use, using a strong password to help protect access, and using multi-factor authentication (MFA) to sign in.
You can use IAM Access Analyzer to regularly review and verify access and manage permissions across your AWS environment, which will highlight AWS identities with excessive permissions and the actions performed by those identities.
For root users accounts that are members of AWS Organizations, you can centralize root access to help prevent root user credential access at scale. After centralizing root access, you can choose to delete root user credentials from member accounts in your organization. You can remove the root user password, access keys, signing certificates, and deactivate multi-factor authentication (MFA). New accounts you create in AWS Organizations have no root user credentials by default and member accounts can't sign in to their root user or perform password recovery for their root user.
You can also use an SCP to restrict what the root user in your member accounts can do. For example, the following SCP blocks the root user in member account from making AWS service API calls except “Updating a S3 bucket policy that was misconfigured and denies access to principals” (one of the actions that requires root credentials):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotAction":[
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy"
],
"Resource": "*",
"Condition": {
"StringLike": { "aws:PrincipalArn": "arn:aws:iam::*:root" }
}
}
]
}