What do I do if I notice unauthorized activity in my AWS account?

Last updated: 2021-04-27

I see resources that I don't remember creating in the AWS Management Console.

-or-

I received a notification that my AWS resources or account might be compromised. What should I do?

Short description

Note: If you can't sign in to your account, use the Contact Us form to request help from AWS Support. The form also includes instructions on how to reset your password.

If you observe unauthorized activity within your AWS account, or you believe that an unauthorized party accessed your account, then do the following:

Resolution

Rotate and delete all AWS access keys

If your application currently uses an access key, replace the key with a new one:

  1. First, create a second key. Then, modify your application to use the new key.
  2. Disable (but do not delete) the first key.
  3. If there are any problems with your application, reactivate the key temporarily. When your application is fully functional, and the first key is in the disabled state, then delete the first key.
  4. Delete any IAM users that you didn't create.

You can delete the access keys that your application no longer uses:

Treat AWS access keys the same way you treat an account password:

For instructions on determining which IAM user created a resource and restricting access, see How can I troubleshoot unusual resource activity with my AWS account?

Rotate any potentially unauthorized IAM user credentials

  1. Open the IAM console.
  2. Choose Users in the navigation pane.
  3. Choose each IAM user from the list, and then check under Permissions policies for a policy named AWSExposedCredentialPolicy_DO_NOT_REMOVE. If the user has this attached policy, you must rotate the access keys for the user.
  4. Delete any IAM users that you didn't create.
  5. Change the password for IAM users that you created and want to keep.

Check your bill

The Bills page of your AWS Management Console lists all charges for all resources on your account. Check your bill for the following:

  • AWS services that you don't normally use
  • Resources in AWS Regions that you don't normally use
  • A significant change in the size of your bill

You can use this information to help you to delete or terminate any resources you don't want to keep.

Delete any unrecognized or unauthorized resources

Sign in to your AWS account, and then check to make sure that all the resources on your account are resources that you launched. Be sure to check all AWS Regions, even Regions where you never launched AWS resources.

Important: If you need to keep any resources for investigation, consider backing them up. For example, if you have a regulatory, compliance, or legal need to retain an EC2 instance, take an EBS snapshot before terminating the instance.

Pay special attention to the following resources:

To delete Lambda functions and layers, do the following:

  1. Open the Lambda console.
  2. In the navigation pane, choose Functions.
  3. Select the functions that you want to delete.
  4. For Actions, choose Delete.
  5. In the navigation pane, choose Layers.
  6. Select the layer that you want to delete.
  7. Choose Delete.

For information on how to delete a resource associated with a particular AWS service, see How do I terminate all my resources before closing my AWS account?

Enable MFA

For increased security, it's a best practice to configure MFA to help protect your AWS resources. You can enable MFA for IAM users or the AWS account root user. Enabling MFA for the root user affects only the root user credentials. IAM users in the account are distinct identities with their own credentials, and each identity has its own MFA configuration.

For more information, see Enabling a virtual multi-factor authentication (MFA) device (console).

Verify your account information

AWS needs accurate account information in order to contact you and help resolve any account issues. Check that the information on your account is correct.

  1. The account name and email address.
  2. Your contact information, especially your phone number.
  3. The alternate contacts for your account.

Contact AWS Support

If you received a notification from AWS about your account, sign in to the AWS Support Center, and then respond to the notification.

If you can't sign in to your account, use the Contact Us form to request help from AWS Support.

If you have any questions or concerns, create a new AWS Support case in the AWS Support Center.

Note: Don't include sensitive information in your correspondence, such as AWS access keys, passwords, or credit card information.

Use AWS Git projects to scan for evidence of unauthorized use

AWS offers Git projects that you can install to help you protect your account:

  • Git Secrets can scan merges, commits, and commit messages for secret information (that is, access keys). If Git Secrets detects prohibited regular expressions, it can reject those commits from being posted to public repositories.
  • Use AWS Step Functions and AWS Lambda to generate Amazon CloudWatch Events from AWS Health or by AWS Trusted Advisor. If there is evidence that your access keys are exposed, the projects can help you to automatically detect, log, and mitigate the event.

Avoid using the root user for day-to-day operations

The access key for your AWS account root user gives full access to all your AWS resources, including your billing information. You can't reduce the permissions associated with your AWS account root user access key. It's a best practice not to use the root user access unless absolutely necessary.

If you don't already have an access key for your AWS account root user, don't create one unless absolutely necessary. Instead, create an IAM user for yourself with administrative permissions. You can sign in to the AWS Management Console with your AWS account email address and password to create an IAM user.

For more information, see Lock away your AWS account root user access keys.

Follow AWS security best practices

For information on best practices to consider when securing your account and its resources, see What are some best practices for securing my AWS account and its resources? However, some of these best practices might not be appropriate or sufficient for your environment. These security best practices must be considered as general guidelines rather than a complete security solution.