By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Free Tier Breach - What to do

1

Is there an option to reset your AWS Free Tier to a clean slate when it gets compromised/breached? An option where you can remove all services, VPC, SG, ECS etc. that may have a billing component attached to it? Or there is nothing you can except to do the delete manually yourself? For whatever reason, the AWS Free Tier that I have NOT been using for a long time suddenly got breached and I or AWS can't explain how that happened.

Topics
Cloud Financial ManagementAWS Well-Architected FrameworkManagement & Governance
Tags
AWS BillingSecurityAWS Account Management
Language
English
rePost-User-3048836
asked a year ago258 views
2 Answers
1

There is no option to reset the AWS service.
You will need to remove it yourself.
Use the AWS Cost Explorer to identify which service in which region is being charged and remove it based on that information.
https://docs.aws.amazon.com/cost-management/latest/userguide/ce-what-is.html

profile picture
EXPERT
Riku_Kobayashi
answered a year ago
  • rePost-User-3048836
    a year ago

    Thanks for your reply Riku, it is a bit painful not to have this option as I can't find any audit trail of what the 'hacker' did. I just really want a clean slate like it is a new account :( Anyway, didn't find the information on Cost Explorer but on the Billing Dashboard. Delete the service but can't delete the AWSServiceRoleForECS Role that was created during the breach. Not sure if I am supposed to be able to delete it.

  • Riku_Kobayashi EXPERT
    a year ago

    If you want to see an audit trail, you may want to check CloudTrail. This one records API calls to AWS, so there is a high possibility of operation history, etc. If you want to remove "AWSServiceRoleForECS", you can use an IAM user with strong administrative privileges or a root user.

0

There are some open-source tools that can help.

After using these I would also use Cost Explorer to verify nothing is still charging you.

Since you were not using the account, you can always close it and reopen another when you are ready to use it.

profile picture
Robert Love
answered a year ago
  • rePost-User-3048836
    a year ago

    Thanks Robert for your reply. I don't have aws cli to test the tools :(. The bill is now in the US$600. I thought I've deleted all resources that AWS Support had provided from the initial list they provided of resources to be deleted, somehow more has spawned in ALL the enabled default regions that were not showing up earlier when I was doing the deletion :(. AFAIK, even if I close the account, the meter will continue to run so I still have to delete them. But yeah. I will be closing it. I hope they'll write off the bill. I am still lost how the account was hacked.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content