What can I do if I notice unauthorized activity in my AWS account?

6 分的閱讀內容
1

I notice AWS resources that I don't recognize in the AWS Management Console or received a notification that my AWS account might be compromised.

Resolution

If you suspect that there is unauthorized activity in your AWS account, first complete the following steps to verify unauthorized activity. Then, remediate the unauthorized activity in your AWS account. Finally, secure your AWS account root user with MFA multi-factor authentication (MFA).

Note: If you can't sign in to your account, then see What do I do if I'm having trouble signing in to or accessing my AWS account?

Verify if there was unauthorized activity in your account

Identify unauthorized actions taken by IAM identities in your account

  1. Determine the last time that each AWS Identity and Access Management (IAM) user password or access key was used. For instructions, see Generate credential reports for your AWS account.
  2. Determine what IAM users, user groups, roles, and policies were used recently. For instructions, see View last accessed information for IAM.

Identify unauthorized access or changes to your account

For instructions, see How can I monitor the account activity of specific IAM users, roles, and AWS access keys? Also, see How do I troubleshoot unusual resource activity with my AWS account?

Identify the creation of unauthorized resources or IAM users

To identify unauthorized resource usage, including unexpected services and account charges, review the following:

Note: You can also use AWS Cost Explorer to review the charges and usage associated with your account. For more information, see How can I use Cost Explorer to analyze my spending and usage?

If you verified that there was no unauthorized activity in your account, then no further action is required.

If you verified that there was unauthorized activity, then proceed to the next section to remediate unauthorized activity in your AWS account.

Remediate unauthorized activity in your account

If you received a notification from AWS about irregular activity in your account, first complete the following instructions. Then, respond to the notification in the AWS Support Center with a confirmation of the actions that you completed.

Rotate and delete exposed account access keys

Check the irregular activity notification sent by AWS Support for exposed account access keys. If you see any keys listed, then complete the following steps:

  1. Create a new AWS access key.
  2. Modify your application to use the new access key.
  3. Deactivate the original access key.
    Important: Don't delete the original access key yet. Deactivate the original access key only.
  4. Verify that there are no issues with your application. If there are issues, reactivate the original access key temporarily to remediate the problem.
  5. If your application is fully functional after you deactivated the original access key, then delete the original access key.
  6. Delete the AWS account root user access keys that you no longer need or didn't create.

For more information, see Secure access keys and Manage access keys for IAM users.

Rotate possibly unauthorized IAM user credentials

  1. Open the IAM console, and then choose Users in the navigation pane.
  2. Choose the name of the first IAM user on the list. The IAM user's Summary page opens.
  3. On the Permissions tab, under the Permissions policies section, look for a policy named AWSCompromisedKeyQuarantineV2. If the user has this policy attached, then rotate the access keys for the user.
  4. Repeat steps 2-3 for each IAM user in your account.
  5. Delete IAM users that you didn't create.
  6. Change the password for all of the IAM users that you created and want to keep.

If you use temporary security credentials, then see Revoke IAM role temporary security credentials.

Check your AWS CloudTrail Event history for unsanctioned activity

  1. Open the AWS CloudTrail console, and then choose Event history in the navigation pane.
  2. Review for unsanctioned activity, such as the creation of access keys, policies, roles, or temporary security credentials.
    Important: Be sure to review the Event time to confirm if the resources were created recently and match the irregular activity.
  3. Delete access keys, policies, roles, or temporary security credentials that you identified as unsanctioned.

For more information, see Working with CloudTrail Event history.

Delete unrecognized or unauthorized resources

  1. Open the AWS Management Console.
  2. Verify that all the resources in your account are resources that you launched. Be sure to check and compare the usage from the previous month to the current one. Make sure that you look for all resources in all AWS Regions, even in Regions where you never launched resources. Also, pay special attention to the following resource types:
  3. Delete unrecognized or unauthorized resources. For instructions, see How do I remove active resources that I no longer need in my AWS account?

Important: If you must keep resources available for investigation, then consider backing up those resources. For example, if you must retain an EC2 instance for regulatory, compliance, or legal reasons, then create an Amazon EBS snapshot before terminating the instance.

Recover backed-up resources

If you configured services to maintain backups, then recover those backups from their last known uncompromised state.

To restore specific types of AWS resources, see the following:

Verify your account information

Verify that all of the following information is correct in your account:

Note: For more information about account security best practices, see What are the best practices to secure my AWS account and its resources?

Secure your account root user with MFA

Because the AWS account root user has privileged access to AWS services and resources, it's a best practice to activate multi-factor authentication (MFA). MFA provides a second authentication factor for your sign-in credentials and reduces the risk of a compromised password. You can activate up to eight MFA devices for each IAM user with AWS Management Console access.

Note: MFA activation for the root user affects only the root user credentials. IAM users in the account are distinct identities with their own credentials and each identity has its own MFA configuration.

To activate MFA, see Secure your root user sign-in with MFA and MFA in IAM.

Related information

AWS security incident response guide

AWS security audit guidelines