How do I troubleshoot unusual resource activity with my AWS account?

3 minute read
0

I want to determine AWS Identity and Access Management (IAM) users who created a resource, and restrict access to the resource.

Short description

Unauthorized account activity, such as new services that are unexpectedly launched, can indicate that your AWS credentials are compromised. Someone with malicious intent can use your credentials to access your account and perform activities that are permitted by the policies. For more information, see What do I do if I notice unauthorized activity in my AWS account?

Resolution

Identify the compromised IAM user and access key, and then deactivate them. Then, Use AWS CloudTrail to search for the API event history that's associated with the compromised IAM user.

In the following example, an Amazon Elastic Compute Cloud (Amazon EC2) instance launched unexpectedly.

Note: The following resolution applies to long-term security credentials, not temporary security credentials. To turn off temporary credentials, see Disabling permissions for temporary security credentials.

Identify the Amazon EC2 instance ID

Complete the following steps:

  1. Open the Amazon EC2 console, and then choose Instances.
  2. Choose the EC2 instance, and then choose the Description tab.
  3. Copy the Instance ID.

Locate the IAM access key ID and user name used to launch the instance

Complete the following steps: 

  1. Open the CloudTrail console, and then choose Event history.
  2. For Filter, choose Resource name.
  3. In the Enter resource name field, enter the instance ID, and then choose Enter.
  4. Expand the Event name for RunInstances.
  5. Copy the AWS access key, and then note the username.

Deactivate the IAM user, create a backup IAM access key, and then deactivate the compromised access key

Complete the following steps:

  1. Open the IAM console, and then enter the IAM access key ID in the Search IAM bar.
  2. Choose the username, and then choose the Security credentials tab.
  3. In Console sign-in, choose Manage console access.
    Note: If the AWS Management Console password is set to Disabled, then you can skip this step.
  4. In Manage console access, choose Disable, and then choose Apply.
    Important: Users whose accounts are turned off can't access the AWS Management Console. However, if the user has active access keys, then they can still use API calls to access AWS services.
  5. Update the access keys for the IAM user.
  6. For the compromised IAM access key, choose Make inactive.

Review CloudTrail event history for activity for the compromised access key

Complete the following steps:

  1. Open the CloudTrail console.
  2. In the navigation pane, choose Event history.
  3. For Filter, choose AWS access key.
  4. In the Enter AWS access key field, enter the compromised IAM access key ID.
  5. Expand the Event name for the RunInstances API call.
    Note: You can view event history for the last 90 days.

You can also search CloudTrail event history to determine how a security group or resource was changed.

For more information, see Working with CloudTrail event history.

Related information

Security best practices in IAM

Securing access keys

Managing IAM policies

AWS security audit guidelines

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago