AWS Root Account

[robertchris44]

Describe the bug

I have created a policy to detect the root login based on this policy.

https://cloudcustodian.io/docs/aws/examples/accountrootlogin.html

When I log in to the root account it is not deploying the lambda function. I am able to see the events in cloudwatch but the lambda never gets deployed based on those events.

What did you expect to happen?

When creating the policy for Account - Detect Root Logins it should generate a lambda that will trigger an email every time the root account login is detected/

Cloud Provider

Amazon Web Services (AWS)

Cloud Custodian version and dependency information

Please copy/paste the following info along with any bug reports:

Custodian:   0.9.18
Python:      3.10.7 (main, Sep 14 2022, 22:38:23) [Clang 14.0.0 (clang-1400.0.29.102)]
Platform:    posix.uname_result(sysname='Darwin', nodename='', release='21.6.0', version='Darwin Kernel Version 21.6.0: Mon Aug 22 20:20:05 PDT 2022; root:xnu-8020.140.49~2/RELEASE_ARM64_T8101', machine='arm64')
Using venv:  True
Docker: False
Installed: 

argcomplete==2.0.0
attrs==22.1.0
boto3==1.24.44
botocore==1.27.44
docutils==0.17.1
importlib-metadata==4.12.0
jmespath==1.0.1
jsonschema==4.9.0
pyrsistent==0.18.1
python-dateutil==2.8.2
pyyaml==6.0
s3transfer==0.6.0
six==1.16.0
tabulate==0.8.10
urllib3==1.26.11
zipp==3.8.1

Policy

I have run the below policy just replacing the default with out account information.

  - name: root-user-login-detected
    resource: account
    description: |
      Notifies Security and Cloud Admins teams on any AWS root user console logins
    mode:
       type: cloudtrail
       events:
          - ConsoleLogin
    filters:
       - type: event
         key: "detail.userIdentity.type"
         value_type: swap
         op: in
         value: Root
    actions:
      - type: notify
        template: default.html
        priority_header: 1
        subject: "Root User Login Detected! - [custodian {{ account }} - {{ region }}]"
        violation_desc: "A User Has Logged Into the AWS Console With The Root User:"
        action_desc: |
            "Please investigate and if needed revoke the root users session along
            with any other restrictive actions if it's an unapproved root login"
        to:
          - CloudAdmins@Company.com
          - SecurityTeam@Company.com
        transport:
          type: sqs
          queue: https://sqs.us-east-1.amazonaws.com/12345678900/cloud-custodian-mailer
          region: us-east-1

Relevant log/traceback output

No response

Extra information or context

No response

[ajkerrigan]

This policy should provision a Lambda function (named custodian-root-user-login-detected) when you run it. Is that part happening?

Later when there's a root login in the same account, it should trigger the already-deployed Lambda function. I believe the docs example was written before changes to how CloudTrail captures global service events like ConsoleLogin. So I suspect we should include some guidance about making sure this policy is deployed in us-east-1. Not sure if that's relevant to the issues you're having though.

[robertchris44]

It currently is not provisioning a lambda function for this policy.

[ajkerrigan]

The output of custodian run (ideally with --verbose) should be helpful in that case. Hard to tell what's going on otherwise. That output should include something like this:

2022-10-24 11:38:53,453: custodian.commands:DEBUG Loaded file /home/aj/code/sandbox-policies/root-logins.yml. Contains 1 policies
2022-10-24 11:38:53,504: custodian.aws:DEBUG using default region:us-east-1 from boto
2022-10-24 11:38:53,832: custodian.output:DEBUG Storing output with <LogFile file:///home/aj/c7n-out/root-user-login-detected/custodian-run.log>
2022-10-24 11:38:53,886: custodian.policy:INFO Provisioning policy lambda: root-user-login-detected region: us-east-1
2022-10-24 11:38:54,160: custodian.serverless:DEBUG Created custodian serverless archive size: 0.51mb
2022-10-24 11:38:54,319: custodian.serverless:INFO Publishing custodian policy lambda function custodian-root-user-login-detected
2022-10-24 11:39:00,607: custodian.serverless:DEBUG Creating cwe rule for <CWEvent Type:cloudtrail Events:ConsoleLogin>
2022-10-24 11:39:00,998: custodian.serverless:DEBUG Added lambda invoke cwe rule permission
2022-10-24 11:39:01,038: custodian.serverless:DEBUG Creating cwe rule target for <CWEvent Type:cloudtrail Events:ConsoleLogin> on func:arn:aws:lambda:us-east-1:123456789012:function:custodian-root-user-login-detected
2022-10-24 11:39:01,084: custodian.serverless:DEBUG Added event source: <CWEvent Type:cloudtrail Events:ConsoleLogin> to function: arn:aws:lambda:us-east-1:613702428514:function:custodian-root-user-login-detected

If it's not provisioning the Lambda function, you'll probably see some error messages in the logs instead.

Your mode block is also going to need a role parameter so it knows which role to associate with the Lambda function (a bit more on that in the docs here).

So far it looks like at a minimum, some doc updates for this example would be helpful

[robertchris44]

I am able to get this working if I do a run and pass in the role. The lambda provisions and then logging in with my root account seems to work.

If I delete the lambda, then log back in it still will not provision the lambda. What do I need to do to get this to work without having to manually run the policy via custodian run and for it to create and work automatically?

[kapilt]

the lambda isn't provisioned by the event, its provisioned when the cli runs, and invocation triggered by the event.