Now that you have your device connected, here are 2 simple ways to see Expel in action in your environment.

Option 1: Create an IAM user with name expeltestuser

Want to see what Expel does after we detect something that we can tell on our own is probably malicious?

Create an IAM user with name expeltestuser, and we produce an incident as if this were a malicious activity. You don’t have to give this user any roles, policies, or credentials.

Of course, there’s nothing inherently malicious in creating an IAM user. This is just an easy way to simulate how Expel responds to actual malicious events.

Let's try it out!

  1. Go to your AWS console.

  2. Open the Identity and Access Management (IAM) service.


    This is NOT the IAM Identity Center service.

  3. Click Users > Add Users > enter the username expeltestuser.

  4. Verify Provide user access to the AWS Management Console isn't selected. Click Next.

  5. Leave the Permissions options as Add user to group.

  6. Click Next > Create user.

    Within 10-15 minutes, you get an email from with the subject Findings ready for review.

  7. Click the link in that notification to see the kind of findings report we produce!


You can immediately delete the user account you created.

Option 2: Login by root AWS user account

Expel also lets you know when something unusual has happened, so your security team knows about it and can let us know if it’s expected or not.

It’s generally not a good practice to log in as the AWS root user account – that is a single, all-powerful account with no built-in individual accountability. However, there are some non-routine operations in AWS that require you to use the root user account.

We configured your organization to generate an alert when the root account is used. We ask you to verify that the usage was authorized, through all the notification mechanisms you've configured. By default, it’s just email. If you tell us the usage wasn't authorized, we create an incident and tell you everything we can about the situation.

We don’t alert on root login if your AWS account is less than 3 days old, because root logins are required during initial AWS account setup. So, if you created a brand-new test environment for trying out Expel, do Option 1 now, and then come back to this AWS root login test after your AWS account passes the 3-day mark.

Go ahead and try it out!

  1. If you’re currently logged into AWS, log out.

  2. Log in to the AWS environment you onboarded with the root user account.

    Within 10-15 minutes, you get an email from containing subject Verify activity.

  3. Click the link in that notification to see how you tell us if this is Authorized or Not Authorized.

  4. Click Authorized.

If this is real attacker activity and you click Not Authorized, our SOC creates an incident and works with you to figure out what happened and what must be done to remediate it.