User from external Developer with Admin permissions

Question

**We found out that the developer we hired to manage the setup and installation of our 4D Mirror instance was controlled by the engineer who set up the mirror and the upload of documents from the database to the S3 buckets. His key pair controls everything. We cannot change it because when we tried to disable his permissions, the documents could not complete the cycle and be stored on AWS and accessible from a link on our database. How do we fix this? I am the Root User and an Admin user in IAM with full admin permissions. BUT I know NOTHING about any of this. I am the owner of the company and AWS is not my area of expertise.

**AI Help offered us this information:**
Assess current permissions: 
1. Let's first check the IAM users and their permissions.
2. It appears there are no EC2 instances currently running in your account. This is good as it reduces the immediate risk surface. Now, let's focus on addressing the access control issue:
3. Create a new IAM administrator account:
4. Log in to the AWS Management Console using your root account (if possible).
5. Navigate to IAM and create a new IAM user with full administrative permissions.
6. Ensure you securely store the credentials for this new admin user.
7. Audit existing permissions:
8. Review all IAM users, groups, and roles.
9. Identify the engineer's IAM user and any associated roles or groups.
10. Document current S3 bucket policies:
11. Note down the current S3 bucket policies and ACLs.
12. This will help in recreating necessary permissions later.
13. Create new IAM roles for your application:
14. Create new IAM roles with the minimum necessary permissions for your 4D Mirror instance and S3 access.
15. Test these roles thoroughly in a staging environment if possible.
16. Update application configuration:
17. Modify your 4D Mirror instance configuration to use the new IAM roles.
18. Test thoroughly to ensure document uploads and access work correctly.
19. Revoke the engineer's access:
20. Once the new configuration is working, revoke all permissions from the engineer's IAM user.
21. Delete any access keys associated with their account.
22. Rotate all secrets:
23. Change all passwords, access keys, and other secrets that the engineer might have had access to.
24. Review and update security groups and network ACLs:
25. Ensure only necessary inbound and outbound traffic is allowed.
26. Enable AWS CloudTrail and review logs:
27. If not already enabled, turn on CloudTrail to monitor API activity.
28. Review logs for any suspicious activity.
29. Implement least privilege access:
30. Review and adjust permissions for all remaining IAM users and roles.
31. Implement the principle of least privilege across your AWS account.
32. Set up monitoring and alerting:
33. Configure AWS Config rules to monitor for policy changes.
34. Set up CloudWatch alarms for unusual activity
35. Implement multi-factor authentication (MFA):
36. Require MFA for all IAM users, especially those with elevated privileges.
37. Regular security audits: Schedule regular security audits of your AWS environment.

However, most of this list is beyond my reach. How do I go about all this? Without hurting the entire organization, that is!

What is my best choice of action to correct all this?

SHAJAM · Answer

At a minimum, 
* Check the S3 bucket policy, see if access is restricted.
* Create a new IAM role that has permissions to read /write to S3.
* Update your EC2 instance, to use the IAM role instead of the access key.

If you are not running it from EC2, but from an op-premises or non-AWS resource, you can create an IAM user with the same permissions, provision access keys and use the access keys for the read write to S3.

re:Post Agent · Answer

Given your situation as the company owner with limited AWS expertise, here's a simplified approach to address your access control issues:

1. Revoking access of unwanted user
   - Log into the AWS Management Console using your root account.
   - Go to IAM and search for the IAM user with unwanted access.
   - Delete this user and any unwanted role.

2. Engage an AWS expert:
   - Consider hiring an AWS certified consultant or engaging AWS Professional Services. You can also reach out to us via an AWS Support case : https://aws.amazon.com/premiumsupport/
   - Once a case is created, The support team can perform an overview of your current setup and help you implement the necessary changes safely.

3. Implement immediate security measures:
   - Enable multi-factor authentication (MFA) for your root account and all IAM users.
   - Change the password for your root account and any known IAM users.

4. Gradually implement changes:
   - Work with the AWS expert to create new IAM roles with the minimum necessary permissions.
   - Test these roles in the staging environment before applying to production.
   - Gradually transition from the old setup to the new one, ensuring functionality at each step.

5. Implement ongoing security practices:
   - Set up AWS CloudTrail for monitoring API activity.
   - Configure AWS Config rules to monitor for policy changes.
   - Schedule regular security audits of your AWS environment.

Remember, the key is to proceed cautiously and methodically. Don't rush to make changes without understanding their impact. Working with an AWS expert will help ensure a smooth transition while maintaining your system's functionality and improving its security.

References :

Here is a guide which advises on how to deal with unauthorized access : https://repost.aws/knowledge-center/potential-account-compromise

User from external Developer with Admin permissions

Relevant content