Firstly, did you confirm if the bucket was blocked to public access? If not, you can check and analyze the SAL to see if it was disabled during the attack (assuming it was enabled before the attack) https://repost.aws/knowledge-center/analyze-logs-athena
Secondly, if the buckets were not public, it is likely that one of your IAM role/user was compromised that was used to access the bucket. You can again check the SAL or CloudTrail to analyze which IAM role was culprit and rotate the access keys immediately.
Few things to find the exploit and prevent it from happening again.
• Identify the exploited user by using the IAM Credential Report. You can look at the access_key_1_last_used_date column for Credential used and password_last_used for users that login through the Management Console. Search for anomalies such as users that are not in the office but their password was used. IAM --> "Credential Report" in order to view the last used users and credentials.
• Identify the exploited user by using the CloudTrail data. You can search the logs in the order to identify the exploited user either by using the CloudTrail log files or the CloudTrail UI in the Management Console (Only last 7 days). Examples: Search for "CreateUser" action or "RunInstances" action.
• Remove all permissions from the exploited identity. This is useful even when the user is logged into the Management Console since the Management Console checks the action authorization every Action performed. Due to the fact that this is not possible when the root account is exploited, please specify this when you open a ticket so we will revoke the Management Console for the root account.
• Enable MFA on the compromised user (preferably on all users). To perform this action: Go to IAM --> "Users" --> [choose the user] --> "Sign-In Credentials" --> "Manage MFA Device".
• Delete or Make Inactive any access keys of the compromised user. Be aware that there might be an impact on running system that is using these credentials when doing so. In case that you these credentials are being used, you would first need to generate the new key, update the system to use the new key, then Delete or Make Inactive the old key. If the compromised user it the root user, these actions should be performed by the root user. To perform this action: Go to IAM --> "Users" --> “Security Credentials” --> "Delete" or "Make Inactive" the active credentials.
• Change the password of the exploited user. To perform this action: Go to IAM --> "Users" --> [choose the user] --> "Sign-In Credentials" --> "Manage Password"".
• Move the Cloud Trail Logs and any other log files to another location such as a S3 bucket that has only a single authorized entity that is not the exploited entity.
• Check the permissions of the compromised account and investigate the potential damage according to the permissions. For example: if the exploited user had only permissions on a specific bucket, start the investigation with this bucket.
• Validate that there are no new user / group / role / user credentials that were created. To perform this action: Go to IAM --> "Credential Report" --> "Download Report"
• Check all resources in all regions to make sure that everything is authorized and terminate all resources that are not authorized. Check regions that you are not using regularly as well.
• Check if you have Spot requests that are in active mode and that are that you didn't request them. If there are, delete these requests.
• Open a ticket to the support with at least the following information:
- Time window of the suspected compromise, please indicate if the suspected compromise is ongoing.
- List of indicators of compromise you identified and how they differ from regular activity.
- Re-mediation steps you took (if any)
- Any log files that you gathered (CloudTrail, S3 access logs, etc.)
- Any information you have about the suspected method of compromise.
- What kind of assistance you request (Investigation of a specific issue etc.)
P.s: Please upvote/accept this answer of you find this helpful.
- asked 5 months ago
- I enabled public access on my bucket's ACL using the Amazon S3 console. Is my bucket open to everyone?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- EXPERTpublished 2 years ago