Control: AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for usage of 'root' account

You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it.

Resource Types

This control targets the following resource types:

AWS > Account

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-hipaa#/control/types/logMetricFilterRootLogin

Category URI

tmod:@turbot/turbot#/control/categories/complianceHipaa

GraphQL

query controlType(id: "tmod:@turbot/aws-hipaa#/control/types/logMetricFilterRootLogin") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-hipaa#/control/types/logMetricFilterRootLogin'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-hipaa#/control/types/logMetricFilterRootLogin"