Suspicious activity

AWS root account console login without MFA

Risk Level

Hazardous (3)

  • N/A


It was found that the root account was used to login to AWS console with Multi-Factor Authentication (MFA). The root account should not be used in day to day administrative tasks because it can't be deleted and its permissions can't be revoked.
  • Recommended Mitigation

    It is recommended to review the root account activity and eliminate the use of the root account by creating individual users with administrative permissions.In addition, MFA enforcement on the root account is recommended. In order to review the root account activities the following sonar query can be executed: 'CloudTrailEvent with AwsUser with Name like """"'