I've got an email about abuse report

Question

Actually I havent' been using AWS EC2 for that long, except for S3, Route53 service. But today I've got a report email, saying about EC2 abuse. I couldn't believe that, beacuse I found out that new EC2 instance were created starting from 2025/01/14 05:52 GMT+9, that is when I was on the airport, which means I was never available on doing this kind of task. Of course, I've got an tremendously over 100x billings, confusing and annoying me. I wanna solve this problem so please let me know what to do right now. (Actually at first I had the unknown EC2 instance stopped right away)

FYI, here's the report i've got below:

Hello,

We've received a report(s) that your AWS resource(s)

AWS ID: 441284854277 Region: ap-northeast-1 EC2 Instance Id: i-******************** AWS ID: 441284854277 Region: ap-northeast-1 Network Interface Id: e**-*******************

has been implicated in activity which resembles web-crawling; the reporter of the activity has indicated that the activity is unwelcome, disruptive, or excessive. Operating a webcrawler at an excessive or disruptive rate is forbidden in the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We've included the original report below for your review.

Please take action to stop the reported activity and reply directly to this email with details of the corrective actions you have taken. If you do not consider the activity described in these reports to be abusive, please reply to this email with details of your use case.

If you're unaware of this activity, it's possible that your environment has been compromised by an external attacker, or a vulnerability is allowing your machine to be used in a way that it was not intended.

We are unable to assist you with troubleshooting or technical inquiries. However, for guidance on securing your instance, we recommend reviewing the following resources:

Amazon EC2 Security Groups User Guide: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html (Linux) https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-network-security.html (Windows)
Tips for Securing EC2 Instances: https://aws.amazon.com/answers/security/aws-securing-ec2-instances (Linux) https://aws.amazon.com/answers/security/aws-securing-windows-instances (Windows)
AWS Security Best Practices: https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf https://aws.amazon.com/blogs/security/getting-started-follow-security-best-practices-as-you-configure-your-aws-resources/ https://docs.aws.amazon.com/security/?secd_intro2

If you require further assistance with this matter, you can take advantage of our developer forums:

https://forums.aws.amazon.com/index.jspa

Or, if you are subscribed to a Premium Support package, you may reach out for one-on-one assistance here:

https://console.aws.amazon.com/support/home#/case/create?issueType=technical

Please remember that you are responsible for ensuring that your instances and all applications are properly secured. If you require any further information to assist you in identifying or rectifying this issue, please let us know in a direct reply to this message.

Regards, AWS Trust & Safety

Case Number: ------------------

---Beginning of forwarded report(s)---

Log Extract: <<< Hello,

An IP address within your delegated space is currently involved in an ongoing attack. Malicious traffic has been identified as originating from the following IP addresses:

xx.xx.xx.xx

GET /.git/config HTTP/1.1 Host: w*******...com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36

Comments: <<< Please investigate the source of the malicious traffic and take action to stop the attack as soon as possible.

I hope your answer. Thank you

re:Post Agent · Answer

I understand your concern about the abuse report you've received. This is a serious situation that requires immediate attention. Here are the steps you should take:

1. Secure your AWS account immediately:
   - Change your AWS account password and enable multi-factor authentication (MFA) if you haven't already.
   - Review and revoke any suspicious IAM users, roles, or access keys.

2. Investigate the unauthorized EC2 instances:
   - Examine the EC2 instances mentioned in the report, focusing on the ap-northeast-1 region.
   - Look for any unfamiliar or unexpected instances, especially those created on 2025/01/14.

3. Stop and isolate suspicious resources:
   - If you've already stopped the unknown EC2 instances, that's a good first step.
   - Consider terminating these instances after preserving any necessary data for investigation.

4. Review your billing and set up alerts:
   - Check your AWS billing dashboard for unexpected charges.
   - Set up billing alerts to notify you of unusual spending patterns in the future.

5. Respond to the abuse notice:
   - Reply directly to the email from AWS Trust & Safety.
   - Explain that you did not create these instances and suspect your account was compromised.
   - Describe the actions you've taken to secure your account and stop the abusive activity.

6. Conduct a thorough security audit:
   - Review all regions in your AWS account for any other unauthorized resources.
   - Check your CloudTrail logs for suspicious API calls or activities.

7. Implement preventive measures:
   - Tighten your security groups and network ACLs.
   - Use AWS Config rules to monitor for unauthorized changes.
   - Consider using AWS GuardDuty for ongoing threat detection.

8. If needed, contact AWS Support:
   - If you have a Premium Support package, open a case for additional assistance.
   - Otherwise, you can use the AWS developer forums for general guidance.

Remember, you are responsible for the security of your AWS resources. Take this incident as an opportunity to strengthen your overall security posture and implement best practices to prevent future unauthorized access.  
**Sources**  
[Abuse notice FAQs | AWS re:Post](https://repost.aws/articles/ARi420OrIGR0y_9pOOker1QQ/abuse-notice-faqs)  
[Abuse reporting FAQs | AWS re:Post](https://repost.aws/articles/ARDaJQbZSdSdKpFjrFMNmgzQ/abuse-reporting-faqs)  
[AWS Abuse Email | AWS re:Post](https://repost.aws/questions/QUVcVdsvRKRL-puEsUDAve4Q/aws-abuse-email)  
[AWS Abuse Report | AWS re:Post](https://repost.aws/questions/QUD30oQpeoSRObxk_fWoRysg/aws-abuse-report)

Jahangeer Alam · Answer

1. **Stop/Terminate the Unauthorized Instance**
* Immediately stop or terminate the EC2 instance that was launched without your authorization to prevent further charges.

2. **Investigate Using CloudTrail Logs**

* Check the CloudTrail logs to identify the source of the unauthorized instance.
* Look for events such as RunInstances or any unusual activity.
* Note down the user, IP address, and time of the activity for your records.

3. **Rotate IAM User Password and Access Keys**

* Rotate the password and delete/recreate access keys for all IAM users in your account.
* Ensure no credentials are exposed in your code or repositories.

4. **Enable Multi-Factor Authentication (MFA)**
* Configure MFA for all IAM users and the root account to secure access.
* Use a hardware or virtual MFA device for better security.

5. **Respond to the AWS Case**
*  Once you've performed the above steps, update the AWS Support Case with the following:
*  A summary of the actions you've taken.
*  Details from CloudTrail logs showing unauthorized activity.
*  Request for billing relief due to unauthorized usage.

I've got an email about abuse report

Relevant content