What do I do if I notice unauthorized activity in my AWS account?
Last updated: 2022-08-25
I see resources that I don't remember creating in the AWS Management Console.
I received a notification that my AWS resources or account might be compromised.
If you suspect unauthorized activity in your AWS account, first verify if the activity was unauthorized by doing the following:
- Identify any unauthorized actions taken by the AWS Identity and Access Management (IAM) identities in your account.
- Identify any unauthorized access or changes to your account.
- Identify the creation of any unauthorized resources.
- Identify the creation of any unauthorized IAM resources, such as roles, managed policies, or management changes such as fraudulent linked accounts created in your AWS Organization.
Then, if you see unauthorized activity, follow the instructions in the If there was unauthorized activity in your AWS account section of this article.
Note: If you can't sign in to your account, see What do I do if I'm having trouble signing in to or accessing my AWS account?
Verify if there was unauthorized activity in your AWS account
Identify any unauthorized actions taken by the IAM identities in your account
- Determine the last time that each IAM user password or access key was used. For instructions, see Getting credential reports for your AWS account.
- Determine what IAM users, user groups, roles, and policies were used recently. For instructions, see Viewing last accessed information for IAM.
Identify any unauthorized access or changes to your account
Identify the creation of any unauthorized resources or IAM users
To identify any unauthorized resource usage, including unexpected services, Regions, or charges to your account, review the following:
- Cost & Usage Reports for your account
- The AWS Trusted Advisor check reference
- The Bills page of the AWS Management Console
Note: You can also use AWS Cost Explorer to review the charges and usage associated with your AWS account. For more information, see How can I use Cost Explorer to analyze my spending and usage?
If there was unauthorized activity in your AWS account
Important: If you received a notification from AWS about irregular activity in your account, first do the following instructions. Then, respond to the notification in the AWS Support Center with a confirmation of the actions that you completed.
Rotate and delete exposed account access keys
Check the irregular activity notification sent by AWS Support for exposed account access keys. If there are keys listed, then do the following for those keys:
- Create a new AWS access key.
- Modify your application to use the new access key.
- Deactivate the original access key.
Important: Don't delete the original access key yet. Deactivate the original access key only.
- Verify that there aren't any issues with your application. If there are issues, reactivate the original access key temporarily to remediate the problem.
- If your application is fully functional after deactivating the original access key, then delete the original access key.
- Delete the AWS account root user access keys that you no longer need or didn't create.
Rotate any potentially unauthorized IAM user credentials
- Open the IAM console.
- In the left navigation pane, choose Users. A list of the IAM users in your AWS account appears.
- Choose the name of the first IAM user on the list. The IAM user's Summary page opens.
- In the Permissions tab, under the Permissions policies section, look for a policy named AWSExposedCredentialPolicy_DO_NOT_REMOVE. If the user has this policy attached, then rotate the access keys for the user.
- Repeat steps 3 and 4 for each IAM user in your account.
- Delete any IAM users that you didn't create.
- Change the password for all of the IAM users that you created and want to keep.
If you use temporary security credentials, then see Revoking IAM role temporary security credentials.
Check your AWS CloudTrail logs for unsanctioned activity
- Open the AWS CloudTrail console.
- In the left navigation pane, choose Event history.
- Review for any unsanctioned activity, such as the creation of access keys, policies, roles, or temporary security credentials.
Important: Be sure to review the Event time to confirm if the resources were created recently and match the irregular activity.
- Delete any access keys, policies, roles, or temporary security credentials that you have identified as unsanctioned.
For more information, see Working with CloudTrail.
Delete any unrecognized or unauthorized resources
1. Sign in to the AWS Management Console. Then, verify that all the resources in your account are resources that you launched. Be sure to check and compare the usage from the previous month to the current one. Make sure that you look for all resources in all AWS Regions—even Regions where you never launched resources. Also, pay special attention to the following resource types:
- Amazon EC2 instances, Spot Instances, and Amazon Machine Images (AMIs), including instances in the stopped state
- AWS Auto Scaling groups
- Amazon Elastic Block Store (Amazon EBS) volumes and snapshots
- Amazon Elastic Container Service (Amazon ECS) clusters
- Amazon Elastic Container Registry (Amazon ECR) repositories
- AWS Lambda functions and layers
- Amazon Lightsail instances
- Amazon Route 53 domains
- Amazon SageMaker notebook instances
2. Delete any unrecognized or unauthorized resources. For instructions, see How do I terminate active resources that I no longer need on my AWS account?
Important: If you must keep any resources for investigation, consider backing up those resources. For example, if you must retain an EC2 instance for regulatory, compliance, or legal reasons, then create an Amazon EBS snapshot before terminating the instance.
Recover backed-up resources
If you configured services to maintain backups, then recover those backups from their last known uncompromised state.
For more information about how to restore specific types of AWS resources, see the following:
- Restoring from an Amazon EBS snapshot or an AMI
- Restoring from a DB snapshot (Amazon Relational Database Service (Amazon RDS) DB instances)
- Restoring previous versions (Amazon Simple Storage Service (Amazon S3) object versions)
Verify your account information
Verify that all of the following information is correct in your AWS account:
- Account name and email address
- Contact information (Make sure that your phone number is correct)
- Alternate contacts
Note: For more information about AWS account security best practices, see What are some best practices for securing my AWS account and its resources?