What do I do if I notice unauthorized activity in my AWS account?

Last updated: 2022-08-25

I see resources that I don't remember creating in the AWS Management Console.

-or-

I received a notification that my AWS resources or account might be compromised.

Short description

If you suspect unauthorized activity in your AWS account, first verify if the activity was unauthorized by doing the following:

  • Identify any unauthorized actions taken by the AWS Identity and Access Management (IAM) identities in your account.
  • Identify any unauthorized access or changes to your account.
  • Identify the creation of any unauthorized resources.
  • Identify the creation of any unauthorized IAM resources, such as roles, managed policies, or management changes such as fraudulent linked accounts created in your AWS Organization.

Then, if you see unauthorized activity, follow the instructions in the If there was unauthorized activity in your AWS account section of this article.

Note: If you can't sign in to your account, see What do I do if I'm having trouble signing in to or accessing my AWS account?

Resolution

Verify if there was unauthorized activity in your AWS account

Identify any unauthorized actions taken by the IAM identities in your account

  1. Determine the last time that each IAM user password or access key was used. For instructions, see Getting credential reports for your AWS account.
  2. Determine what IAM users, user groups, roles, and policies were used recently. For instructions, see Viewing last accessed information for IAM.

Identify any unauthorized access or changes to your account

For instructions, see How can I monitor the account activity of specific IAM users, roles, and AWS access keys? Also, see How can I troubleshoot unusual resource activity with my AWS account?

Identify the creation of any unauthorized resources or IAM users

To identify any unauthorized resource usage, including unexpected services, Regions, or charges to your account, review the following:

Note: You can also use AWS Cost Explorer to review the charges and usage associated with your AWS account. For more information, see How can I use Cost Explorer to analyze my spending and usage?

If there was unauthorized activity in your AWS account

Important: If you received a notification from AWS about irregular activity in your account, first do the following instructions. Then, respond to the notification in the AWS Support Center with a confirmation of the actions that you completed.

Rotate and delete exposed account access keys

Check the irregular activity notification sent by AWS Support for exposed account access keys. If there are keys listed, then do the following for those keys:

  1. Create a new AWS access key.
  2. Modify your application to use the new access key.
  3. Deactivate the original access key.
    Important: Don't delete the original access key yet. Deactivate the original access key only.
  4. Verify that there aren't any issues with your application. If there are issues, reactivate the original access key temporarily to remediate the problem.
  5. If your application is fully functional after deactivating the original access key, then delete the original access key.
  6. Delete the AWS account root user access keys that you no longer need or didn't create.

For more information, see Best practices for managing AWS access keys and Managing access keys for IAM users.

Rotate any potentially unauthorized IAM user credentials

  1. Open the IAM console.
  2. In the left navigation pane, choose Users. A list of the IAM users in your AWS account appears.
  3. Choose the name of the first IAM user on the list. The IAM user's Summary page opens.
  4. In the Permissions tab, under the Permissions policies section, look for a policy named AWSExposedCredentialPolicy_DO_NOT_REMOVE. If the user has this policy attached, then rotate the access keys for the user.
  5. Repeat steps 3 and 4 for each IAM user in your account.
  6. Delete any IAM users that you didn't create.
  7. Change the password for all of the IAM users that you created and want to keep.

If you use temporary security credentials, then see Revoking IAM role temporary security credentials.

Check your AWS CloudTrail logs for unsanctioned activity

  1. Open the AWS CloudTrail console.
  2. In the left navigation pane, choose Event history.
  3. Review for any unsanctioned activity, such as the creation of access keys, policies, roles, or temporary security credentials.
    Important: Be sure to review the Event time to confirm if the resources were created recently and match the irregular activity.
  4. Delete any access keys, policies, roles, or temporary security credentials that you have identified as unsanctioned.

For more information, see Working with CloudTrail.

Delete any unrecognized or unauthorized resources

1.    Sign in to the AWS Management Console. Then, verify that all the resources in your account are resources that you launched. Be sure to check and compare the usage from the previous month to the current one. Make sure that you look for all resources in all AWS Regions—even Regions where you never launched resources. Also, pay special attention to the following resource types:

2.    Delete any unrecognized or unauthorized resources. For instructions, see How do I terminate active resources that I no longer need on my AWS account?

Important: If you must keep any resources for investigation, consider backing up those resources. For example, if you must retain an EC2 instance for regulatory, compliance, or legal reasons, then create an Amazon EBS snapshot before terminating the instance.

Recover backed-up resources

If you configured services to maintain backups, then recover those backups from their last known uncompromised state.

For more information about how to restore specific types of AWS resources, see the following:

Verify your account information

Verify that all of the following information is correct in your AWS account:

Note: For more information about AWS account security best practices, see What are some best practices for securing my AWS account and its resources?