
Summary
The AWS CloudTrail detection rule 'Root Password Changed' monitors changes to the root account password of an AWS account. A high-severity alert is triggered when the root user's password is manually updated, which is a critical security event that could indicate potential unauthorized access or account manipulation. The rule relies on logs generated by AWS CloudTrail, specifically filtering for events where the event name is 'PasswordUpdated' under the event source 'signin.amazonaws.com'. It utilizes test cases to verify whether a successful password change event occurred or if a password change failed, thus ensuring that abnormal activities surrounding the root account are promptly flagged for review. Additionally, the associated runbook provides instructions for validating the change and necessary actions if the change was not authorized. The rule emphasizes adherence to security practices by requiring verification of the password change action and documenting its occurrence for compliance and auditing purposes.
Categories
- Cloud
- AWS
- Identity Management
Data Sources
- Cloud Service
- Logon Session
ATT&CK Techniques
- T1098
Created: 2022-09-02