By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Inappropriate Restrictions to Admin Account

0

I had a key accessed in a way that was suspicious according to AWS Support and now my Admin account has restricted access to Lambda Functions across all Regions. Lambda workloads aren't running in every AZ. The key that was accessed inappropriately has limited permissions and is deactivated. The Live chat response from AWS Support is unresponsive after 30+ minutes. Highly inappropriate remediation for a key that has limited permissions. This feels like a sundial response not stopwatch. How can we resolve this quickly?

Topics
Security, Identity, & ComplianceServerlessComputeManagement & Governance
Tags
AWS Key Management ServiceAWS LambdaAWS Identity and Access ManagementAWS Account Management
Language
English
cj
asked 7 days ago48 views
2 Answers
1

I understand your frustration with the situation. When AWS detects suspicious activity, they may take precautionary measures to protect your account, which can sometimes feel overly restrictive. However, these measures are designed to prevent potential security breaches.

Given the circumstances you've described, here are some steps you can take to resolve this issue more quickly:

  1. Continue working with AWS Support: Even though the live chat has been unresponsive, it's crucial to keep the support case open. If possible, escalate the case or request a callback from a senior support engineer.

  2. Review and update your security settings: Ensure that you've changed all passwords, especially for the root account, and enabled multi-factor authentication (MFA) if it wasn't already in place.

  3. Audit your IAM users and roles: Review all IAM users and roles, removing any unnecessary ones and ensuring that the principle of least privilege is applied.

  4. Revoke and rotate all access keys: As a precautionary measure, consider revoking and rotating all access keys, not just the one that was compromised.

  5. Implement an SCP (Service Control Policy) to invalidate old sessions: This can help ensure that any potentially compromised credentials are no longer valid.

  6. Document your remediation steps: Keep a detailed record of all the actions you've taken to secure your account. This information can be helpful when communicating with AWS Support.

  7. Request a security review: Ask AWS Support to conduct a thorough security review of your account to ensure no other vulnerabilities exist.

Remember, while the restrictions may feel excessive, they are in place to protect your resources. By demonstrating that you've taken comprehensive steps to secure your account, you may be able to expedite the process of having the restrictions lifted.

If the issue persists or you're unable to get a timely response from AWS Support, consider reaching out through other channels, such as your account manager (if you have one) or AWS's social media support channels.
Sources
The AWS account is unresolved due to security restrictions | AWS re:Post
Technique and access containment - AWS Security Incident Response Guide
Unauthorized tactic spotlight: Initial access through a third-party identity provider | AWS Security Blog

profile picture
re:Post Agent
answered 7 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 6 days ago
0
Accepted Answer

This issue is in the process of being resolved. It took an hour long wait to begin a live chat with our support staff. The support staff contacting a security team to address the issue. The security team removing a "compromised" label from the account. A Design Flaw costing reputation and time unnecessarily over a limited permission key imho.

cj
answered 6 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content