AWS Account Compromised, someone keep Buying Domain Names on Route 53

Here are the action items, that you need to take care of immediately for this user, which you have already identified:

IAM User Revoke Session Temporary Credentials

Deactivate IAM User access keys

There may be other users/roles might also exist, which would have been created under this account compromise incident. Make sure no IAM user or role exists which you haven't created.

To identify all those suspicious activities, follow this Knowledge Center Article for best practices so that it doesn't happen again. Also, check if you see any suspicious activity in cloudtrail.

Since you did the right thing, which is logging a support ticket, they would be able to help you to investigate further.

Have MFA enabled on IAM users/roles for an additional layer of protection.

Hope it helps.

I understand your concern regarding the compromise of your AWS account. Here are some steps you can take to address this issue and prevent future incidents:

1. Isolate the compromised account: As soon as you suspect a compromise, it is crucial to immediately isolate the affected account. This can be done by disabling or removing the user "aws-sns-bot1" from the IAM console.

2. Review activity logs: Use AWS activity logs to identify actions taken using the compromised account. The logs can help you understand how the compromise occurred and take appropriate measures.

3. Strengthen the account security: Ensure you take proper security measures for your AWS account, such as:

   • Enable two-factor authentication (MFA) for all users.
   • Use strong and unique password policies for all users.
   • Limit user access privileges and assign only necessary permissions to perform their tasks.

4. Change access keys and secret credentials: If you use access keys and secret credentials, generate new keys for all affected users. Also, make sure to update the keys and credentials used by your third-party applications or services.

5. Review resources and configurations: Go through your AWS resources to detect any suspicious or unauthorized changes. Verify the configurations of AWS services to ensure they are secure and compliant with best practices.

6. Collaborate with AWS support: Continue to follow up on your AWS support ticket and work closely with them to resolve the issue. They can assist in investigating the compromise and taking additional measures to secure your account.

7. Actively monitor your account: Implement active monitoring of your AWS account using services like AWS CloudTrail, AWS Config, and Amazon GuardDuty. These services help detect suspicious or unauthorized activities and enable you to take prompt action.

Remember, security is an ongoing process. In addition to the steps mentioned above, it is essential to regularly train users on security best practices, stay updated on AWS security updates, and keep your systems up to date with appropriate security patches.

Immediately access the AWS console using an administrative account.

Suspend or delete the user account "aws-sns-bot1" in the IAM console to prevent any unauthorized access.

Check the activity logs of the compromised AWS account to identify the origin of the attack.

Analyze access and login logs to detect any suspicious activity on your account.

Revoke all excessive privileges granted to user accounts and ensure that each user has only the necessary minimum permissions for their tasks.

Enable AWS account activity tracking to receive alerts for unauthorized modifications.

Implement a robust security strategy, including the use of firewall rules and security groups to limit resource access.

Ensure that all users use two-factor authentication (MFA) for enhanced security. Continuously monitor your AWS account for any suspicious activity while awaiting a response from AWS support. The security of your AWS account is crucial, so take prompt action to prevent any future unauthorized access.