# Root Account Monitoring with CloudTrail + SNS

## Objective
Simulate sensitive activity from the AWS root account and detect it using **CloudTrail**, **CloudWatch**, and **SNS alerts**.

---

## Tools Used
- AWS CloudTrail  
- Amazon SNS (Simple Notification Service)  
- IAM (Identity and Access Management)  
- AWS Management Console  

---

## Steps Taken

### 1. Log in Using Root Account
- Logged in to the [AWS Console](https://aws.amazon.com/console/) using root credentials.
- **Screenshot:**  
  `![Root Login](images/root-login.png)`

### 2. Perform Sensitive Activity
- Action performed: *(disabled MFA from security credentials dashboard)*  
- **Screenshot:**  
  `![Sensitive Action](images/sensitive-action.png)`

### 3. Enable CloudTrail
- Created a CloudTrail trail named `RootAccountTrail` to log activities.
- Logs were configured to be stored in an S3 bucket.  
- **Screenshot:**  
  `![CloudTrail Setup](images/cloudtrail-setup.png)`

### 4. Configure S3 Bucket
- Ensured proper bucket policies for CloudTrail log delivery.  
- **Screenshot:**  
  `![S3 Bucket Config](images/s3-config.png)`

### 5. Create SNS Topic & Subscription
- Created an SNS topic named `RootAlertTopic`.
- Subscribed via email/phone to receive alerts.  
- **Screenshot:**  
  `![SNS Setup](images/sns-setup.png)`

### 6. Create CloudWatch Event Rule
- Configured a CloudWatch rule with the following event pattern:

```json
{
  "source": ["aws.signin"],
  "detail-type": ["AWS Console Sign In via CloudTrail"],
  "detail": {
    "userIdentity": {
      "type": ["Root"]
    }
  }
}
