diff --git a/rules/cloud/aws_root_account_usage.yml b/rules/cloud/aws_root_account_usage.yml
new file mode 100644
index 000000000..e87c5b7cf
--- /dev/null
+++ b/rules/cloud/aws_root_account_usage.yml
@@ -0,0 +1,20 @@
+title: Root credentials are used
+id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
+status: experimental
+author: vitaliy0x1
+description: Detects Root account usage
+references:
+  - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
+logsource:
+  service: CloudTrail
+detection:
+  selection_usertype:
+    - userIdentity.type: Root
+  selection_eventtype:
+    - eventType: AwsServiceEvent
+  condition: selection_usertype AND NOT selection_eventtype
+level: medium
+falsepositives:
+    - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
+tags:
+  - attack.t1078
\ No newline at end of file