some organizations allow login with the root user without mfa, however, this is not considered best practice by aws and increases the risk of compromised credentials.

t1078
aws
elastic

Techniques

T1078

Sample rules

source: elastic
technicques:
- T1078

Description

Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.

Detection logic

event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and
  aws.cloudtrail.user_identity.type:Root and
  aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and
  event.outcome:success

Techniques

Sample rules

AWS Root Login Without MFA

Description

Detection logic