Free AWS Security Whitepaper
    Toc Consulting Logo
    CRITICALCredential Compromise10-15 min containment16 steps across 5 phases

    Unauthorized Root Account Access

    The AWS root account has been accessed without authorization. This is the most critical incident type - root has unrestricted access to all services and resources, can close the account, and cannot be restricted by SCPs or permission boundaries. Act immediately.

    iamiamcloudtrailcloudtrailorganizationsorganizationssnssns

    Phase 1: Detection

    $ tail -f /var/log/cloudtrail/events.log
    1

    Check CloudTrail for root API activity

    Root account usage should be near-zero in a well-managed account. Any root activity is suspicious.

    aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=Username,AttributeValue=root \
  --start-time <7d-ago> --max-items 50
    CloudTrail:ConsoleLoginCreateAccessKeyChangePasswordEnableMFADeviceDeactivateMFADevice
    2

    Check for root console login from unusual locations

    Look at the sourceIPAddress and userAgent in CloudTrail ConsoleLogin events for root.

    Root console logins should almost never happen. If you see one from an IP you do not recognize, treat it as a compromise.

    3

    Check if MFA was disabled or changed

    Attackers who gain root access often disable MFA to maintain persistence.

    # Check if MFA is enabled on the account
aws iam get-account-summary \
  --query 'SummaryMap.AccountMFAEnabled'
    # List all virtual MFA devices to find root MFA
aws iam list-virtual-mfa-devices
    CloudTrail:DeactivateMFADeviceDeleteVirtualMFADeviceEnableMFADevice

    Phase 2: Containment

    $ ./containment.sh --isolate --immediate
    1

    Change the root password immediately

    Log into the AWS Console as root and change the password. Use a strong, unique password stored in a hardware vault.

    This must be done via the AWS Console - there is no CLI command to change the root password.

    2

    Enable or re-enable MFA on root

    If MFA was disabled by the attacker, re-enable it immediately. Use a hardware FIDO2 key if possible.

    AWS recommends hardware FIDO2 security keys (YubiKey) for root MFA. Virtual MFA (TOTP) is acceptable but less secure.

    3

    Delete any root access keys

    Root should never have access keys. If any exist, delete them immediately.

    # List root access keys
aws iam list-access-keys
    # Delete them
aws iam delete-access-key --access-key-id AKIA...
    4

    Check and close alternate root contacts

    Verify that the alternate contacts (billing, operations, security) have not been changed to attacker-controlled addresses.

    Phase 3: Eradication

    $ ./eradicate.sh --purge --verify
    1

    Audit all changes made by root

    Review every API call made by root during the incident window to identify what was changed.

    aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=Username,AttributeValue=root \
  --start-time <incident-start> \
  --end-time <now> \
  --max-items 50
    2

    Revert unauthorized changes

    Undo any changes the attacker made: new IAM users, policy changes, resource creation, account settings modifications.

    3

    Check for account-level changes

    Root can change things no other principal can: support plans, account name, payment methods, organization membership.

    CloudTrail:CreateOrganizationLeaveOrganizationCloseAccountSetAccountPreferences

    Phase 4: Recovery

    $ ./recovery.sh --restore --validate
    1

    Secure the root email account

    If the attacker accessed root, they may have also compromised the root email. Change the email password and enable MFA on it.

    The root email is the ultimate recovery mechanism for an AWS account. Secure it with the same rigor as the AWS root itself.

    2

    Contact AWS Support if needed

    If you cannot regain root access or suspect the account has been permanently compromised, contact AWS Support immediately.

    3

    Verify account integrity

    Check billing, payment methods, support plan, and organization membership to ensure nothing was changed.

    Phase 5: Lessons Learned

    $ cat POST_INCIDENT_REVIEW.md
    1

    Enable root login alerts

    Create an EventBridge rule to send SNS notifications whenever root is used.

    aws events put-rule \
  --name "RootAccountUsage" \
  --event-pattern '{"detail-type":["AWS Console Sign In via CloudTrail"],"detail":{"userIdentity":{"type":["Root"]}}}'
    2

    Store root credentials in a physical safe

    Root password and hardware MFA device should be stored in a physical safe with access controlled by at least two people.

    3

    Use AWS Organizations with SCPs

    SCPs restrict root actions in member accounts. Root in the management account remains unrestricted by SCPs. Since November 2024, centralized root access management lets you remove root credentials from member accounts entirely. Minimize blast radius by using delegated admin accounts for daily operations.

    root-accountmfacredential-compromiseaccount-takeover
    Previous
    Compromised EC2 Instance
    Next
    Lambda Function Abuse

    Need Help with Incident Response?

    When an incident strikes, every minute counts. We help AWS teams prepare, detect, and respond to security incidents with proven expertise.

    All PlaybooksGet in Touch