Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
What can I do if I notice unauthorized activity in my AWS account?
I noticed AWS resources that I don't recognize in the AWS Management Console or received a notification that my AWS account might be compromised.
Resolution
If you suspect that there is unauthorized activity in your AWS account, first complete the following steps to verify unauthorized activity. Then, remediate the unauthorized activity in your AWS account. Finally, secure your AWS account root user with MFA multi-factor authentication (MFA).
Note: If you can't sign in to your account, then see What do I do if I can't sign in to my AWS account?
Check if there was unauthorized activity in your account
To identify unauthorized actions, generate credential reports for your AWS account to audit the passwords or access keys for each AWS Identity and Access Management (IAM) identities in your account. Then, view last accessed information for IAM for the users, user groups, roles, and policies that were recently used.
To identify unauthorized access or changes to your account, you can monitor the account activity of specific IAM users, roles, and AWS access keys. For more information, see How do I troubleshoot unusual resource activity with my AWS account?
To identify the creation of unauthorized resources or IAM users, including unexpected services and account charges, take the following actions:
- Create a cost and usage report for your account.
- Get started with Trusted Advisor Recommendations
- Review your monthly billing best practices.
Note: You can also use AWS Cost Explorer to review the charges and usage associated with your account.
If you verified that there isn't unauthorized activity in your account, then no further action is required.
If you verified that there is unauthorized activity, then proceed to the next section to remediate unauthorized activity in your AWS account.
Remediate unauthorized activity in your account
If you received a notification from AWS about irregular activity in your account, first complete the following instructions. Then, respond to the notification in the AWS Support Center with a confirmation of the actions that you completed.
Update exposed account access keys
Check the irregular activity notification sent by AWS Support for exposed account access keys. If you see any keys listed, then complete the following steps:
- Update the AWS access key.
- Deactivate the original access key.
Important: Don't delete the original access key during this step. - Verify that there are no issues with your application. If there are issues, reactivate the original access key temporarily to remediate the problem.
- If your application is fully functional after you deactivated the original access key, then delete the original access key.
- Delete the AWS account root user access keys that you no longer need or didn't create.
For more information, see Secure access keys and Manage access keys for IAM users.
To update possibly unauthorized IAM user credentials
Complete the following steps:
- Open the IAM console.
- Choose Users in the navigation pane.
- Select the name of the first IAM user on the list.
- On the Summary page of the IAM user, on the Permissions tab, under the Permissions policies section, check that the AWSCompromisedKeyQuarantineV2 policy is attached to the user.
- Update the access keys for the user.
- Repeat steps 2-5 for each IAM user in your account.
- Deactivate IAM users that you didn't create.
- Change the passwords for the IAM users that you created.
If you use temporary security credentials, then see Revoke IAM role temporary security credentials.
Check your AWS CloudTrail Event history for unauthorized activity
Complete the following steps:
- Open the AWS CloudTrail console.
- In the navigation pane, choose Event history.
- Review for unsanctioned activity, such as the creation of access keys, policies, roles, or temporary security credentials.
Important: Make sure that you review the Event time to confirm if the resources were recently created and match the irregular activity. - Delete any unsanctioned access keys, policies, roles, or temporary security credentials.
For more information, see Working with CloudTrail Event history.
Delete unrecognized or unauthorized resources
Open the AWS Management Console, and verify that all the resources in your account are resources that you launched. Be sure to check and compare the usage from the previous month to the current one. Make sure that you check for all resources in all AWS Regions, even in Regions that you didn't launch resources.
Then, to delete unrecognized or unauthorized resources, see How do I remove active resources that I no longer need in my AWS account?
Important: If you must keep resources available for investigation, then it's a best practice to back up those resources. For example, if you must retain an Amazon Elastic Cloud Compute (Amazon EC2) instance for regulatory, compliance, or legal reasons, then create an Amazon EBS snapshot before you terminate the instance.
Recover backed-up resources
If you configured services to maintain backups, then recover those backups from their last known uncompromised state.
To restore specific types of AWS resources, take the following actions:
- Restore an Amazon EBS volume or an EC2 instance
- Restore to a DB snapshot for Amazon Relational Database Service (Amazon RDS) instances
- Restore previous versions for Amazon Simple Storage Service (Amazon S3) object versions
Verify your account information
Verify that all of the following information is correct in your account.
If you need to update your account information, take the following actions:
- Update your AWS account name
- Update the root user email address
- Update the primary contact for your AWS account
- Update the alternate contacts for your AWS account
Note: For more information about account security best practices, see What are the best practices to secure my AWS account and its resources?
Secure your account root user with MFA
It's a best practice to turn on multi-factor authentication (MFA) because the AWS account root user has privileged access to AWS services and resources. MFA provides a second authentication factor for your sign-in credentials and reduces the risk of a compromised password. You can activate up to eight MFA devices for each IAM user with AWS Management Console access.
Note: MFA activation for the root user affects only the root user credentials. IAM users in the account are distinct identities with their own credentials and each identity has its own MFA configuration.
To activate MFA, see Secure your root user sign-in with MFA and AWS Multi-factor authentication in IAM.
Related information
- Topics
- Management & Governance
- Language
- English
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 2 months ago