CloudWatch Root Account Use Missing
- Query id: 8b1b1e67-6248-4dca-bbad-93486bb181c0
- Query name: CloudWatch Root Account Use Missing
- Platform: Terraform
- Severity: Medium
- Category: Observability
- CWE: Ongoing
- URL: Github
Ensure a log metric filter and alarm exist for root acount usage
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" {
name = "CIS-RootAccountUsage"
pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
log_group_name =
metric_transformation {
name = "CIS-RootAccountUsage"
namespace = "CIS_Metric_Alarm_Namespace"
value = "1"
resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" {
alarm_name = "CIS-3.3-RootAccountUsage"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = "XXX NOT YOUR FILTER XXX"
namespace = "CIS_Metric_Alarm_Namespace"
period = "300"
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it."
alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
insufficient_data_actions = []
resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" {
name = "CIS-ConsoleSigninWithoutMFA"
pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
log_group_name =
metric_transformation {
name = "CIS-ConsoleSigninWithoutMFA"
namespace = "CIS_Metric_Alarm_Namespace"
value = "1"
resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" {
alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name =
namespace = "CIS_Metric_Alarm_Namespace"
period = "300"
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA."
alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
insufficient_data_actions = []
Positive test num. 2 - tf file
resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" {
name = "CIS-RootAccountUsage"
pattern = "{ $.userIdentity.type = \"Root\" && $.eventType != \"AwsServiceEvent\" }"
log_group_name =
metric_transformation {
name = "CIS-RootAccountUsage"
namespace = "CIS_Metric_Alarm_Namespace"
value = "1"
resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" {
alarm_name = "CIS-3.3-RootAccountUsage"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name =
namespace = "CIS_Metric_Alarm_Namespace"
period = "300"
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it."
alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
insufficient_data_actions = []
Positive test num. 3 - tf file
resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" {
name = "CIS-RootAccountUsage"
pattern = "{ $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
log_group_name =
metric_transformation {
name = "CIS-RootAccountUsage"
namespace = "CIS_Metric_Alarm_Namespace"
value = "1"
resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" {
alarm_name = "CIS-3.3-RootAccountUsage"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name =
namespace = "CIS_Metric_Alarm_Namespace"
period = "300"
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it."
alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
insufficient_data_actions = []
Positive test num. 4 - tf file
resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" {
alarm_name = "CIS-3.1-UnauthorizedAPICalls"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name =
namespace = "CIS_Metric_Alarm_Namespace"
period = "300"
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity."
alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
insufficient_data_actions = []
resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" {
name = "CIS-UnauthorizedAPICalls"
pattern = "{ $.userIdentity.type = \"Root\" || $.eventType != \"AwsServiceEvent\" }"
log_group_name =
metric_transformation {
name = "CIS-UnauthorizedAPICalls"
namespace = "CIS_Metric_Alarm_Namespace"
value = "1"
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" {
name = "CIS-RootAccountUsage"
pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
log_group_name =
metric_transformation {
name = "CIS-RootAccountUsage"
namespace = "CIS_Metric_Alarm_Namespace"
value = "1"
resource "aws_cloudwatch_metric_alarm" "CIS_Root_Account_Use_CW_Alarm" {
alarm_name = "CIS-3.3-RootAccountUsage"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name =
namespace = "CIS_Metric_Alarm_Namespace"
period = "300"
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it."
alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn]
insufficient_data_actions = []
resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" {
name = "CIS-ConsoleSigninWithoutMFA"
pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
log_group_name =
metric_transformation {
name = "CIS-ConsoleSigninWithoutMFA"
namespace = "CIS_Metric_Alarm_Namespace"
value = "1"
resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" {
alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name =
namespace = "CIS_Metric_Alarm_Namespace"
period = "300"
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA."
alarm_actions = ["aws_sns_topic.CIS_Alerts_SNS_Topic.arn"]
insufficient_data_actions = []