Suspicious Account Breach


I know I ll get the same generic response as everyone else - but two weeks ago AWS forced me to change my password because it was the same as my regular Amazon account. I logged in with that password for two weeks. Then last night I got an email my account was compromised and my email root username was changed. I ve had an AWS account for 7+ years, never a problem and then all of a sudden this happens. Very suspicious Amazon…still waiting to hear back from AWS and I am sure my account will rack up charges while just being told to fill out a form

asked 2 years ago245 views
1 Answer

If you suspect a breach in your AWS account, it's important to take immediate action to secure your account and protect your resources. Here are the recommended steps to follow:

  1. Change Account Credentials: Reset the passwords and access keys associated with your AWS account, including the root user and IAM users. Choose strong, unique passwords and enable multi-factor authentication (MFA) for additional security.

  2. Disable Compromised Access Keys: Identify any access keys that may have been compromised and deactivate or delete them. Generate new access keys for users and services that require access to your account.

  3. Review IAM Users and Roles: Check for any unauthorized IAM users or roles created in your account. Remove any suspicious or unnecessary users and revoke their permissions.

  4. Audit Security Groups and Network ACLs: Review your security groups and network ACLs for any unauthorized changes. Remove any rules that are not needed or appear suspicious.

  5. Monitor CloudTrail Logs: Enable AWS CloudTrail to log and monitor all API activity in your account. Review the CloudTrail logs for any suspicious activity and investigate any unauthorized API calls.

  6. Scan for Malicious Activity: Use AWS Security Hub, Amazon GuardDuty, or other security monitoring tools to scan for and identify any malicious activity or potential vulnerabilities in your account.

  7. Investigate Incidents: Conduct a thorough investigation of the breach. Collect and analyze any available evidence, including logs, to understand the scope of the incident and identify the potential impact.

  8. Contact AWS Support: Report the suspected breach to AWS Support. They can provide guidance, investigate the issue, and assist in securing your account.

  9. Implement Security Best Practices: Strengthen the security of your account by following AWS security best practices. This includes regularly updating passwords, enabling MFA, applying least privilege principles, and regularly reviewing and monitoring your account for any unauthorized activity.

Remember, it's crucial to act quickly and follow these steps to mitigate the impact of a suspected breach. Additionally, consider involving a security professional or incident response team to assist with the investigation and remediation process.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions