The SIEM app is now a part of the Elastic Security solution.
Click
here to view SIEM documentation for previous releases.
AWS Root Login Without MFA
editAWS Root Login Without MFA
editIdentifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.
Rule type: query
Rule indices:
- filebeat-*
Severity: low
Risk score: 21
Runs every: 10 minutes
Searches indices from: now-60m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- AWS
- Elastic
- SecOps
- Identity and Access
- Continuous Monitoring
Version: 1
Added (Elastic Stack release): 7.9.0
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editSome organizations allow root-user logins without MFA, however this is not considered best practice by AWS and increases the risk of compromised credentials.
Investigation guide
editThe AWS Filebeat module must be enabled to use this rule.
Rule query
editevent.module:aws and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and event.outcome:success
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/