Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Inappropriate Restrictions to Admin Account

0

I had a key accessed in a way that was suspicious according to AWS Support and now my Admin account has restricted access to Lambda Functions across all Regions. Lambda workloads aren't running in every AZ. The key that was accessed inappropriately has limited permissions and is deactivated. The Live chat response from AWS Support is unresponsive after 30+ minutes. Highly inappropriate remediation for a key that has limited permissions. This feels like a sundial response not stopwatch. How can we resolve this quickly?

Topics
ServerlessManagement & GovernanceComputeSecurity, Identity, & Compliance
Tags
AWS Key Management ServiceAWS Identity and Access ManagementAWS Account ManagementAWS Lambda
Language
English
asked 10 months ago159 views
2 Answers
1

I understand your frustration with the situation. When AWS detects suspicious activity, they may take precautionary measures to protect your account, which can sometimes feel overly restrictive. However, these measures are designed to prevent potential security breaches.

Given the circumstances you've described, here are some steps you can take to resolve this issue more quickly:

  1. Continue working with AWS Support: Even though the live chat has been unresponsive, it's crucial to keep the support case open. If possible, escalate the case or request a callback from a senior support engineer.

  2. Review and update your security settings: Ensure that you've changed all passwords, especially for the root account, and enabled multi-factor authentication (MFA) if it wasn't already in place.

  3. Audit your IAM users and roles: Review all IAM users and roles, removing any unnecessary ones and ensuring that the principle of least privilege is applied.

  4. Revoke and rotate all access keys: As a precautionary measure, consider revoking and rotating all access keys, not just the one that was compromised.

  5. Implement an SCP (Service Control Policy) to invalidate old sessions: This can help ensure that any potentially compromised credentials are no longer valid.

  6. Document your remediation steps: Keep a detailed record of all the actions you've taken to secure your account. This information can be helpful when communicating with AWS Support.

  7. Request a security review: Ask AWS Support to conduct a thorough security review of your account to ensure no other vulnerabilities exist.

Remember, while the restrictions may feel excessive, they are in place to protect your resources. By demonstrating that you've taken comprehensive steps to secure your account, you may be able to expedite the process of having the restrictions lifted.

If the issue persists or you're unable to get a timely response from AWS Support, consider reaching out through other channels, such as your account manager (if you have one) or AWS's social media support channels.
Sources
The AWS account is unresolved due to security restrictions | AWS re:Post
Technique and access containment - AWS Security Incident Response Guide
Unauthorized tactic spotlight: Initial access through a third-party identity provider | AWS Security Blog

answered 10 months ago
EXPERT
reviewed 10 months ago
0
Accepted Answer

This issue is in the process of being resolved. It took an hour long wait to begin a live chat with our support staff. The support staff contacting a security team to address the issue. The security team removing a "compromised" label from the account. A Design Flaw costing reputation and time unnecessarily over a limited permission key imho.

answered 10 months ago
  • rePost-User-0672156
    2 months ago

    Eight months later, the same thing is still happening on AWS. Unacceptable.

    A notification was sent to my email in the middle of the night about suspicious activity involving an access key on my account. Instead of disabling this specific access key, my whole account is restricted from accessing critical resources such as Lambdas and API URLs. I have cleared all the suggested steps in the notification, but I am unable to get a response from AWS after posting my replies to the open case. Web submission is in unassigned state after 10+ hours. Chat window waits forever to connect. Phone request is not possible for basic support plan. Our web service is essentially down the whole time.

    Leaving customer service down under broad denials, with no clear path to recovery and no meaningful reply from Support after AWS initiated the quarantine, is inconsistent with the “detect, contain, eradicate, and recover” model AWS promotes in its own security and incident‑response guidance. This practice essentially forces users to pay to get heard even though it was initiated by AWS in the first place.

    There were no details on the security incident. I checked the Cloudtrail log and found nothing other than AWS's own explorations around that time. I don't know if it was a false alarm or how to prevent similar events. I am really frustrated at how the case is being handled.

    I have been an AWS user for many years. It's not the level of service I'd expect from Amazon. Anyone from AWS looking?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content