Monitor root user activity in MP accounts

[richgreen-moj]

User Story

As a MP engineer
I want to be alerted to when the AWS account root user is being used
So that I know that it is only used for genuine purposes (and there are no security breaches)

Value / Purpose

This is a follow-on from #7437 which looked at alerting for admin role usage and more generally the NCSC recommendations on mitigating the risk of an attacker gaining unauthorised access to code and production environments.

It may need to be looked at after this more general ticket that investigates how we will be looking after the root account/codebase... #7824

Useful Contacts

No response

Additional Information

No response

Definition of Done

• Identify best solution for alerting and where to alert
• Deploy solution
• Update documentation
• Reviewed by another team member

[SimonPPledger]

#7824 is now complete

[richgreen-moj]

PR #8654 has enabled monitoring/alerting for root account usage across all MP accounts. The PR explains in detail what has been enabled including links to examples of root account usage alerts being triggered.

I don't think there is any need to update any particular documentation for this change.

Over time we should review the amount of traffic being sent to the low priority alarms channel from member accounts and look to act on any issues or see if we need to tweak the alarm configuration etc.

[Kudzai-moj]

everything looks good to me. Moving to done