Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I troubleshoot unusual resource activity in my AWS account?
I noticed unusual resource activity in my AWS account. I want to determine the AWS Identity and Access Management (IAM) users who created the resource, and restrict access to the resource.
Short description
If you notice unexpected resource activity in your account, then your credentials might be compromised. An unauthorized user with your credentials can perform any actions that are allowed by your IAM policies. For guidance on how to handle potential unauthorized access, see What can I do if I notice unauthorized activity in my AWS account?
Resolution
First, identify the compromised IAM user and access key and deactivate them. Then, use AWS CloudTrail to search for the API event history that's associated with the compromised IAM user.
In the following example, an Amazon Elastic Compute Cloud (Amazon EC2) instance launched unexpectedly.
Note: The following resolution applies to long-term security credentials, not temporary security credentials. To revoke permissions from temporary credentials, see Disabling permissions for temporary security credentials.
Identify the Amazon EC2 instance ID
Complete the following steps:
- Open the Amazon EC2 console, and then choose Instances.
- Select the EC2 instance, and then choose the Instance Summary tab.
- Copy the Instance ID.
Locate the IAM access key ID and username used to launch the instance
Complete the following steps:
- Open the CloudTrail console, and then choose Event history.
- For Lookup Attributes, choose Resource name.
- In the Enter resource name field, enter the instance ID, and then choose Enter.
- Expand the Event name for RunInstances.
- Copy the AWS access key, and then note the username.
Update a backup IAM access key and deactivate the compromised access key
Complete the following steps:
- Open the IAM console, and then enter the IAM access key ID in the Search IAM bar.
- Select the username, and then choose the Security credentials tab.
- In Console sign-in, choose Manage console access.
Note: If the AWS Management Console password is set to Disabled, then you can skip this step. - In Manage console access, choose Disable, and then choose Apply.
Important: If the user has active access keys, then they can still use API calls to access AWS services. - Update access keys.
- For the compromised IAM access key, choose Actions, and then select Deactivate.
Note: If you deactivate the compromised IAM access key while it's in use, then you can impact production environments.
Review CloudTrail event history for activity for the compromised access key
Complete the following steps:
- Open the CloudTrail console.
- In the navigation pane, choose Event history.
- For Lookup Attributes, choose AWS access key.
- In the Enter AWS access key field, enter the compromised IAM access key ID.
- Expand the Event name for the RunInstances API call.
Note: You can view event history for the last 90 days.
You can also search CloudTrail event history to determine how a security group or resource was changed.
For more information, see Working with CloudTrail event history.
Related information
- Language
- English
Relevant content
- asked 2 years ago
- asked 9 months ago
