By using AWS re:Post, you agree to the Terms of Use

My AWS account has been hacked over a week and it generated a bill of $2845 in last two days of Feb and $3431 in March. In just 15 days, this amount got generated.


On 26th Feb, I received a mail from AWS ragrding Irreular activity so I immediately followed the steps mentioned in that email, I deleted the access key, changed my password. I couldn't see any new user,roles and ploicies in IAM at that time but now I can see 30 roles and policies applied. I have deleted the roles and policies and other amazon resources whic were producing the bill. I made this account only for educational purpose, I cant afford to pay such an amount $(2845+3431). I'm a student. Today I generated a support ticket 9763861881 and reopend the ticket which got generated on 26th Feb for irregular activity. Please assist.

3 Answers

Sorry to hear about the impact to your account. Please see a similar post for guidance on this.

"Hello have you already tried completing this process? and read through this?

This is to regain access to your AWS Account so you can delete resources. Compromised accounts fall on the customer side of the shared responsibility model, so you will want to act to try and regain access to your account if you have not already."

answered 7 months ago

Hi , Sorry to hear it had happened. While you have already raised the support case , here are some guidelines for compromised accounts. Also in future make sure you setup Billing alarms on your account, so that for any amount that goes above the threshold that you are not comfortable with, AWS will send you a notification immediately. Also please please refrain from sharing PII such as your account number or case ID in public forums as a good practice.

• Rotate and delete all root and AWS Identity and Access Management (IAM) access keys. • Delete any potentially unauthorized IAM users, and then change the password for all other IAM users. • Check your bill. Your bill can help you identify resources that you didn't create. • Delete any resources on your account that you didn't create, such as Amazon Elastic Compute Cloud (Amazon EC2) instances and AMIs, Amazon Elastic Block Store (Amazon EBS) volumes and snapshots, and IAM users. Note: Before deleting your resources, consider if you have a regulatory or legal need to investigate those resources. If so, consider keeping a few snapshots of EBS resources. • Enable multi-factor authentication (MFA) on the root user and any IAM users with console access. Enabling MFA can help you to secure the accounts and prevent unauthorized users from logging in to accounts without a security token. • Verify that your account information is correct. • Respond to the notifications that you received from AWS Support through the AWS Support Center.

answered 6 months ago

Could AWS just dispute these kinds of abnormal charges? There is no reasons that these should be paid by AWS customers.

answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions