Deren shows you how to
review your CloudTrail logs

Adobe Flash Player or a modern browser is required to view videos on this site.

CloudTrailLogs_thumbnail.png

My CloudTrail logs show that my root credentials are being used to authenticate actions or calls against my AWS resources, but I didn’t initiate the action or call. Should I be concerned?

Some AWS services, such as Auto Scaling and Elastic Load Balancing, use root to access resources in your AWS account, instead of an IAM role. When this happens, you see the name of the service in the invokedBy field of the userIdentity JSON statement.

To identify if the recorded API activity was initiated automatically by an AWS service on your behalf, review the contents of your CloudTrail logs, especially the invokedBy, eventSource, eventName, sourceIPAddress, and userAgent fields.

For example, Elastic Load Balancing automatically scales to meet capacity in response to incoming application traffic, which will create a CloudTrail event log similar to the following:

{

    "eventVersion": "1.02",

    "userIdentity": {

        "type": "Root",

        "principalId": "12345678912",

        "arn": "arn:aws:iam::12345678912:root",

        "accountId": "012345678912",

        "userName": "foo",

        "invokedBy": "elasticloadbalancing.amazonaws.com"

    },

    "eventTime": "2015-11-12T04:31:44Z",

    "eventSource": "ec2.amazonaws.com",

    "eventName": "DeleteNetworkInterface",

    "awsRegion": "ap-southeast-2",

    "sourceIPAddress": "elasticloadbalancing.amazonaws.com",

    "userAgent": "elasticloadbalancing.amazonaws.com",

    "errorCode": "Client.InvalidParameterValue",

    "errorMessage": "Network interface 'en-abcd1234' is currently in use.",

    "requestParameters": {

        "networkInterfaceId": "en-abcd1234"

    },

...

}

In this example, ELB (sourceIPAddress) requested access to root (invokedBy). Then, ELB (userAgent) made a request to delete a network interface (eventName) through the EC2 API.

Note: For userName, use your account alias, not the name of an IAM user.

For the sourceIPAddress and userAgent fields, a DNS name will only be displayed if the identity is an AWS service. This will help identify if the action was invoked by an AWS service or an IAM user/role.

While this action, if unwanted, may indicate a misconfiguration of the ELB service on your account, from a security perspective, these calls are innocuous.

root credentials, CloudTrail root, root, DeleteNetworkInterface, ELB, Auto Scaling, Elastic Load Balancing, CloudTrail


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-07-26