What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS IAM Security Monitoring: Detect Root Logins, MFA Gaps, and Policy Drift

AWS Identity and Access Management is the attack surface that matters most. Every API call, every console login, every resource provisioned or accessed in your AWS environment is governed by IAM. A misconfigured policy, a compromised access key, or an unmonitored root account login can provide an attacker with the exact permissions needed to exfiltrate data, provision unauthorized resources, or disrupt production workloads.

IAM security monitoring is not a one-time audit — it is a continuous operational discipline that detects drift from your intended security posture and alerts on anomalous identity behavior before it results in a breach. This guide covers the specific IAM monitoring patterns that matter most: root account activity detection, MFA enforcement verification, policy drift identification, and least-privilege compliance.

Why IAM Is the Primary Attack Vector

IAM credentials — not network exploits, not application vulnerabilities — are the most common entry point in AWS security incidents. Leaked access keys in public repositories, phished console credentials, and overly permissive roles assumed by compromised applications all bypass network-level security controls entirely. An attacker with valid IAM credentials operates inside your trust boundary, making their actions indistinguishable from legitimate operations unless you are specifically monitoring for anomalous identity behavior.

The root account presents the highest risk. It has unrestricted access to all AWS resources and settings, bypasses all IAM policies and Service Control Policies, cannot be limited by organizational guardrails, and can close the account, change billing, and modify support plans. A single root account compromise is a total account takeover. AWS explicitly recommends that the root account should never be used for day-to-day operations and should have MFA enabled at all times.

Root Account Login Detection

Detecting root account usage is the highest-priority IAM monitoring requirement. Any root account login outside of a small set of documented, expected scenarios — initial account setup, billing configuration changes, or specific actions that require root — should trigger an immediate security alert.

CloudTrail-Based Detection

AWS CloudTrail logs every authentication event, including root account console logins. Configure a CloudTrail trail that captures management events in all regions and delivers logs to a centralized S3 bucket. Create a CloudWatch Logs metric filter on the CloudTrail log group that matches root account sign-in events.

The metric filter pattern targets events where userIdentity.type equals Root and eventType equals AwsConsoleSignIn. A CloudWatch alarm on this metric with a threshold of one or more triggers within any evaluation period immediately notifies your security team through SNS.

EventBridge-Based Detection

For lower-latency detection, use Amazon EventBridge rules that match CloudTrail console login events for the root identity. EventBridge processes events in near-real-time — significantly faster than the CloudWatch Logs metric filter pipeline. Configure the EventBridge rule to target an SNS topic, a Lambda function that posts to your security Slack channel, or an AWS Systems Manager Automation document that initiates your root-login response runbook.

Response Automation

When a root account login is detected, automated response should include notifying the security on-call team through a high-priority channel (PagerDuty, Opsgenie, or equivalent), capturing the source IP, user agent, and geographic location from the CloudTrail event, correlating the login with any scheduled root access activities documented in your change management system, and if the login is unrecognized, initiating credential rotation and account lockdown procedures.

MFA Enforcement and Gap Detection

Multi-factor authentication is the single most effective control against credential-based attacks. AWS supports multiple MFA device types — hardware security keys, virtual authenticator apps, and FIDO2 passkeys — and recommends enabling MFA for all IAM users and the root account.

Detecting Missing MFA on the Root Account

Use AWS Config with the managed rule root-account-mfa-enabled to continuously verify that MFA is configured on the root account. This rule evaluates the root account's MFA status and marks it as NON_COMPLIANT if MFA is not enabled. Configure AWS Config to deliver compliance change notifications through SNS, ensuring that any removal of root MFA triggers an immediate alert.

Additionally, deploy an EventBridge rule that matches iam.amazonaws.com API calls for DeactivateMFADevice and DeleteVirtualMFADevice targeting the root account. These events indicate that someone is actively removing MFA protection — a critical security event regardless of whether it is performed by a legitimate administrator or an attacker who has already obtained root credentials.

Detecting Missing MFA on IAM Users

AWS Config's iam-user-mfa-enabled rule checks whether all IAM users have MFA enabled. For console-enabled users, this is a mandatory control. For users with only programmatic access (access keys, no console password), MFA enforcement operates differently — it is applied through IAM policy conditions that require MFA for sensitive API calls rather than at the authentication level.

Deploy a scheduled Lambda function that queries the IAM credential report using GenerateCredentialReport and GetCredentialReport. Parse the report to identify users where mfa_active is false and password_enabled is true. These represent users who can log in to the console without MFA — an unacceptable security gap in any environment.

Enforcing MFA Through IAM Policies

Detection alone is insufficient. Enforce MFA by attaching IAM policies that deny all actions except IAM self-service (password change, MFA device registration) unless the aws:MultiFactorAuthPresent condition key is true. This pattern — commonly called an "MFA enforcement policy" — ensures that even if a user's password is compromised, the attacker cannot perform any meaningful action without the second factor.

IAM Policy Drift Detection

IAM policy drift occurs when the actual permissions in your environment diverge from the intended security posture. This drift happens gradually — a permission added to troubleshoot a production issue and never removed, a policy attached directly to a user instead of through a role, an inline policy created to bypass a managed policy restriction.

Detecting Policy Changes with CloudTrail

Monitor CloudTrail for IAM API calls that modify permissions: AttachUserPolicy, AttachRolePolicy, AttachGroupPolicy, PutUserPolicy, PutRolePolicy, PutGroupPolicy, CreatePolicy, CreatePolicyVersion, AddUserToGroup, and CreateRole. Each of these events represents a potential drift from your intended security posture.

Configure EventBridge rules to capture these events and route them to a security review queue. Not every policy change is malicious — most are legitimate operational actions — but every policy change should be logged, attributed to a specific user or automation, and reviewed to confirm it aligns with your access control standards.

Identifying Overly Permissive Roles

IAM Access Analyzer provides two capabilities that are essential for detecting overly permissive roles. External access analysis identifies resources that are shared with entities outside your account or organization. Unused access analysis identifies IAM roles, access keys, and permissions that have not been used within a specified analysis period.

Run IAM Access Analyzer with a 90-day analysis window. Any permission not exercised in 90 days is a strong candidate for removal. Roles with AdministratorAccess or broad wildcard permissions (* on *) should be flagged for immediate review regardless of usage, as they represent maximum-blast-radius credentials.

Infrastructure-as-Code Drift Detection

If your IAM policies are managed through Terraform, CloudFormation, or CDK, deploy drift detection that compares the actual state of IAM resources against the declared state in your infrastructure code. Terraform's terraform plan output identifies resources that have been modified outside of Terraform — a direct indicator of policy drift.

Automate this comparison by running drift detection on a scheduled basis (daily minimum) and alerting on any IAM resources that have drifted from their declared configuration. Drift in IAM is always a security-relevant event — it means someone modified permissions outside your normal change management process.

Building a Continuous IAM Monitoring Pipeline

Effective IAM security monitoring integrates multiple signal sources into a pipeline that provides comprehensive coverage of identity-related risk.

The pipeline should ingest CloudTrail management events for all IAM and STS API calls, AWS Config compliance evaluations for IAM-related rules, IAM Access Analyzer findings for external access and unused permissions, GuardDuty findings related to credential behavior (unusual API calls, console logins from new locations, credential exfiltration indicators), and IAM credential report data including access key age, last rotation date, MFA status, and last login time.

Raw signals from these sources generate significant volume. Effective monitoring requires correlation logic that elevates genuine security events above operational noise. A root account login from a new IP address that coincides with a policy change should be prioritized higher than a routine policy attachment by an automation role. A new role with AdministratorAccess created outside of business hours should be prioritized higher than a role created by CloudFormation during a deployment.

FAQ

How do I detect when someone logs into the AWS root account?

Configure a CloudTrail trail capturing management events in all regions. Create either a CloudWatch Logs metric filter or an EventBridge rule that matches console sign-in events where the user identity type is Root. Route the alert to your security team through SNS or a direct integration with your incident management platform. EventBridge provides lower-latency detection than the CloudWatch Logs pipeline.

What is IAM policy drift and why does it matter?

IAM policy drift is the divergence between your intended permission configuration and the actual permissions in your AWS environment. It occurs when permissions are modified outside your normal change management process — manual console changes, emergency troubleshooting additions that are never reverted, or inline policies that bypass your managed policy standards. Drift expands your attack surface incrementally and is often invisible without active monitoring.

How often should I review IAM permissions for least privilege?

Continuous automated monitoring is more effective than periodic manual reviews. Use IAM Access Analyzer with a 90-day unused access analysis window to continuously identify permissions that are candidates for removal. Supplement this with quarterly manual reviews of high-privilege roles and cross-account trust policies. Any IAM policy change should be reviewed in real-time through your CloudTrail monitoring pipeline.

Should I use hardware security keys or virtual MFA for the root account?

AWS recommends phishing-resistant MFA — hardware security keys (FIDO2/WebAuthn) or passkeys — over TOTP-based virtual MFA for the root account. Hardware keys cannot be phished because the authentication is bound to the specific origin, and they do not rely on shared secrets that could be intercepted. Register at least two hardware keys for the root account to ensure access if one is lost.

How do I find overly permissive IAM roles in my AWS account?

Use IAM Access Analyzer's unused access analysis to identify permissions that have not been exercised within your analysis window. Additionally, query the IAM credential report for roles and users with wildcard permissions on all resources. AWS Config rules like iam-policy-no-statements-with-admin-access detect policies that grant full administrative access. Combine these signals to prioritize roles for permission tightening.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Vigilare Engineering

Platform Team