DoiT RootGuard
What is RootGuard?
As an AWS partner, we are required to monitor specific activities within the management account. RootGuard, DoiT's solution, fulfills this monitoring obligation by tracking root user activity, billing modifications, and contact information changes.
Architecture
RootGuard operates through two key components:
- An AWS EventBridge rule that monitors the default event bus using specific event patterns to detect targeted activities.
- A Lambda function that runs on a six-hour schedule. This function verifies existence of at least one CloudTrail and reports the state back by publishing a custom event to the event bus.
Note
RootGuard requires an active CloudTrail in the US East (N. Virginia/us-east-1) region to function properly. Most events are only available through CloudTrail logs.
The RootGuard Cloudformation template can be accessed from here.
Events
In addition to monitoring all activities performed by the AWS account root user, RootGuard collects the following events:
| Event | EventSource |
|---|---|
| PutContactInformation | account.amazonaws.com |
| DeleteAlternateContact | account.amazonaws.com |
| PutAlternateContact | account.amazonaws.com |
| SetContactAddress | billingconsole.amazonaws.com |
| SetDefaultPaymentMethod | billingconsole.amazonaws.com |
| SetAdditionalContacts | billingconsole.amazonaws.com |
| SetAccountPreferences | billingconsole.amazonaws.com |
| AWSPaymentPortalService.ValidatePaymentInstrumentOperation | billingconsole.amazonaws.com |
| CreatePaymentInstrument | aws-payment-encryption.amazonaws.com |
| Preferences_CreatePaymentProfile | payments.amazonaws.com |
| Preferences_UpdatePaymentProfile | payments.amazonaws.com |
| Instruments_Create | payments.amazonaws.com |
| Instruments_Update | payments.amazonaws.com |
| DeleteTaxRegistration | tax.amazonaws.com |
| CreateCustomerCase | taxconsole.amazonaws.com |
| PreviewTaxRegistrationChange | taxconsole.amazonaws.com |
| Healthcheck | rootguard.doit.com |