Removal or Shut Off of Apps Inside Console

Question

Hi, we were recently hacked and we now have access to our console again.  We only use S3 but when logged back in I see that many other things were accessed and that a major part of charges come from appstream 2.0. Here is what we can see that was recently viewed. https://www.screencast.com/t/HtGis0sSY.

My question is, is there a way for me to remove appstream 2.0 and any of the other items in the screenshot above to really lock the count down. What should I be looking at to make sure that the hacked account is in proper order and that it is locked down tight?  Any help would be greatly appreciated.

Answer

If you do not intend on using Amazon AppStream 2.0, stop the Fleets that were created immediately as well as any image builders you may have running as that is creating cost.

https://docs.aws.amazon.com/appstream2/latest/developerguide/managing-stacks-fleets.html

Answer

I don't know what basics you have in place already, but first up is use only IAM Users - put MFA on your root user and only use it again in situations where there's no choice.  Also add MFA to your IAM Users.

It's up to you what permissions you give your IAM Users, it can just be "s3:*" if you want.

That's just the beginning though.  It you really want to put things "in proper order and locked down tight", have a look at https://aws.amazon.com/architecture/security-identity-compliance.

Removal or Shut Off of Apps Inside Console

Contenus pertinents