What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS Root Account Security: Hardening and Monitoring Your Most Privileged Access

The Nuclear Option

The AWS root account is the most powerful identity in your AWS environment. It bypasses all IAM policies, all service control policies, all permission boundaries. It can delete everything in your account, transfer account ownership, change billing settings, and close the account entirely. No IAM policy can restrict it. No SCP can limit it. It is, by design, the "break glass" option that exists outside your normal security model.

Because of this, the root account should be treated like nuclear launch codes: secured with the strongest possible controls, used only in genuine emergencies, and monitored continuously for any access attempt.

This guide covers the specific hardening steps for root account security and the monitoring setup that alerts immediately if the root account is ever used.

Root Account Hardening: The Checklist

AWS publishes root account security recommendations as part of the Foundational Security Best Practices, and Security Hub monitors for compliance. The essential steps:

Enable MFA on the Root Account

This is the single most important root account security control. Use a hardware MFA device (YubiKey, Gemalto) rather than a virtual authenticator app — hardware devices can't be stolen remotely, and the root account is the highest-value target in your environment. Store the MFA device in a physical safe, separate from the account credentials.

Security Hub control: IAM.1 - IAM root user access key should not exist and IAM.9 - MFA should be enabled for the root user.

Delete or Never Create Root Access Keys

Root access keys allow programmatic root access — the root account used via CLI or API. There is virtually no legitimate use case for root access keys. If they exist in your account, delete them immediately:

aws iam delete-access-key --access-key-id <root-key-id>

AWS Config will flag existing root access keys. Security Hub control: IAM.4 - IAM root user access key should not exist.

Use a Dedicated Root Account Email Address

The root account email receives all critical AWS communications — billing alerts, security notifications, account compromise alerts. Use a dedicated email alias (not a personal address) that multiple people in your organization can access: aws-root@yourcompany.com. Never use a personal email address that could become inaccessible if the employee leaves.

Store Root Credentials Securely

Root credentials (the email/password combination) should be stored in a password manager with organizational access, not in any individual's personal password manager. Consider storing the credentials in a physical safe for the most sensitive accounts (production, billing). Document where the credentials are stored in your incident response runbook.

Set Up Cost and Billing Alerts

Root access is sometimes required for billing-related tasks. Ensure billing alerts are configured so that if the root account is used to make billing changes, you're notified. See our proactive monitoring guide for billing alert setup.

Monitoring Root Account Usage

The most important root account security control after hardening is immediate detection of any usage. Root account activity is logged to CloudTrail and can trigger instant alerts.

CloudTrail Alarm for Root Account Login

resource "aws_cloudwatch_metric_alarm" "root_account_usage" {
  alarm_name          = "root-account-usage"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 1
  metric_name         = "RootAccountUsage"
  namespace           = "CloudTrailMetrics"
  period              = 60
  statistic           = "Sum"
  threshold           = 1
  alarm_description   = "Root account has been used - immediate investigation required"
  alarm_actions       = [aws_sns_topic.critical_alerts.arn]
}

resource "aws_cloudwatch_log_metric_filter" "root_account_usage" {
  name           = "root-account-usage"
  pattern        = "{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name

  metric_transformation {
    name      = "RootAccountUsage"
    namespace = "CloudTrailMetrics"
    value     = "1"
  }
}

This alarm fires within 60 seconds of any root account API call. Configure the SNS topic to immediately notify your security team via PagerDuty, Slack, and email. See our CloudTrail alerting guide for the metric filter setup.

Root Account Login vs. API Usage

Root account CloudTrail events fall into two categories:

Console login: eventName = ConsoleLogin, userIdentity.type = Root
API calls: Any API call with userIdentity.type = Root

Both should trigger immediate alerts. Console logins indicate someone is actively using the root credentials. API calls indicate programmatic root access (which should be impossible if you deleted root access keys — their presence indicates either keys you didn't know existed or a very serious security issue).

When Root Access Is Legitimately Needed

Root access is required for a small number of specific tasks that no IAM policy can grant:

Changing the root account email address or password
Enabling or disabling AWS Support plans
Closing the account
Restoring IAM access after accidentally locking yourself out
Submitting a GovCloud account request
Configuring an S3 bucket policy that currently denies all access (including the account)

Maintain a documented procedure for root access use: who is authorized, what justification is required, how usage is recorded. Every root account access should be logged in your incident management system, even if it's a planned maintenance action.

Root Account and AWS Organizations

In AWS Organizations, the management account's root user has authority over the entire organization — it can remove member accounts, modify SCPs, and change billing. This makes securing the management account root even more critical.

Best practices for Organizations root security:

Never run workloads in the management account — use it only for Organizations administration
Enable SCP guardrails that prevent member account roots from taking destructive actions
Create a dedicated security account with delegated admin access for Security Hub and GuardDuty
Use the management account's root only for genuine organizational emergencies

See our Organizations best practices guide for the full organizational security architecture.

AWS Config Rules for Root Account

Enable these Config rules to continuously monitor root account status:

root-account-mfa-enabled — Verifies MFA is enabled
iam-root-access-key-check — Verifies no access keys exist
root-account-hardware-mfa-enabled — Verifies hardware MFA (not virtual)

Any of these going non-compliant should trigger an immediate alert — it means either someone disabled a control or the account was created/modified in a way that bypassed your standard setup. See our Config rules guide.

The "Break Glass" Documentation

Every organization should have documented break-glass procedures for root access. This documentation should include:

Where root credentials are stored
Where the MFA device is stored
Who is authorized to use root access
What justification is required before using root access
How to log and document root access usage
Post-use procedures: changing the password after each use, verifying no unauthorized changes

Store this documentation somewhere accessible during incidents — not just in the AWS account that might be compromised. A physical document, an encrypted offline file, or a document in a separate identity provider works well.

FAQ

What if I lose access to my root account MFA device?

Contact AWS Support. They have an account recovery process that involves verifying your identity through the root account email and phone number, plus possibly providing proof of account ownership (billing records, government ID). This process takes time, which is why having a secure backup plan matters — store the MFA device recovery codes securely when you first set up MFA.

Should every AWS account have its own root credentials, or can they share?

Each AWS account must have a unique root email address — this is an AWS requirement. Every account needs separate root credentials. In practice, use email aliases (aws-prod-root@company.com, aws-dev-root@company.com) that route to a shared inbox and store each account's credentials separately.

Can Service Control Policies restrict root account actions?

No. SCPs explicitly do not apply to the management account or to root users. This is by design — the root account is the ultimate recovery mechanism, and restricting it would create scenarios where accounts become unrecoverable. This is also why securing the root account is more critical than other IAM controls.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO