I see resources I don’t remember creating in the AWS Management Console, or I received a notification that my AWS resources or account may be compromised. What should I do?
If you suspect that your account has been compromised, or if you have received a notification from AWS that the account has been compromised, perform the following tasks:
- Change your AWS root account password and the passwords of any IAM users.
- Delete or rotate AWS access keys.
- Delete any resources on your account you didn’t create, especially running EC2 instances, EC2 spot bids, or IAM users.
- Respond to any notifications you received from AWS Support through the AWS Support Center.
Change your AWS root account password and the passwords of any IAM users
For information on changing your root AWS password, see How do I change the password associated with my AWS account? For information on changing the password of an IAM user, see Managing Passwords for IAM Users.
It’s a best practice to change your passwords on a regular basis to avoid unauthorized use of your account. For information on AWS security best practices, see the whitepaper at AWS Security Best Practices.
Delete or rotate any potentially compromised AWS access keys
If your application currently uses an exposed access key, replace the exposed key with a new one. To do this, create a second key and modify your application to use the new key; then, disable (but do not delete) the first key. If there are any problems with your application, reactivate the key temporarily. When your application is fully functional while the first key is in the disabled state, delete the first key.
If you find AWS access keys that you no longer need or didn’t create, delete them. For more information, see How do I delete an AWS access key?
Treat AWS access keys the same way you would treat an account password—don’t provide access keys to anyone you don’t know and trust, don’t publish access keys to public websites or code repositories, and consider best practices when using or managing AWS access keys. For general information on AWS security best practices, see the whitepaper at AWS Security Best Practices.
Delete any unrecognized or unauthorized resources
Sign in to your AWS account and check that all resources currently running on your account are resources you launched. Make sure to check all AWS regions, even regions in which you’ve never launched AWS resources. Pay special attention to running EC2 instances, EC2 spot bids, or IAM users. If you’re not sure how to delete a resource associated with a particular AWS service, find the documentation related to that service at AWS Documentation.
Contact AWS support
If you received correspondence from AWS about potential issues with your account, sign in to the AWS Support Center and respond to the notification with any information AWS support requested from you. If you have any additional questions or concerns, but didn’t receive a notification, create a new AWS support case in the AWS Support Center.
Note: Do not include potentially sensitive information in your correspondence, including full AWS access keys, passwords, or credit card information.
compromise, hack, unknown charges, notification, email