Suspicious Billing with SageMaker

If you identify suspicious activity on your account, you should

• Identify any unauthorized actions taken by the AWS Identity and Access Management (IAM) identities in your account.
• Identify any unauthorized access or changes to your account.
• Identify the creation of any unauthorized resources or IAM users. Steps to perform these activities can be found here: https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/

You should as well look at all the resources in your account and identify/terminate the ones that are not legitimate.

AWS cost explorer can help you identify where these Sagemaker charges are and you can terminate them: https://aws.amazon.com/aws-cost-management/aws-cost-explorer/

Open a case with support if you have any question. Whatever support level you currently have you can always create a Billing/account case to understand any past or upcoming charges.

Once this is done, make sure you apply security best practices to protect your aws account : https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/