LoFP / aws tasks that require aws account root user credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html

Techniques

Sample rules

AWS Root Credentials

source: sigma
technicques:
- t1078
- t1078.004

Description

Detects AWS root account usage

Detection logic

condition: selection_usertype and not selection_eventtype
selection_eventtype:
  eventType: AwsServiceEvent
selection_usertype:
  userIdentity.type: Root