My AWS account might be compromised
Last updated: 2020-04-15
I see resources that I don't remember creating in the AWS Management Console.
I received a notification that my AWS resources or account might be compromised. What should I do?
If you suspect that your account is compromised, then do the following:
- Change your AWS account root user password.
- Rotate and delete all root and AWS Identity and Access Management (IAM) access keys.
- Delete any potentially compromised IAM users, and change the password for all other IAM users.
- Delete any resources on your account that you didn't create, such as EC2 instances and AMIs, EBS volumes and snapshots, and IAM users.
- Respond to the notifications that you received from AWS Support through the AWS Support Center.
Change your AWS account root user password and the passwords of any IAM users
To change your AWS account root user password, see Changing the AWS Account Root User Password.
To change the password of an IAM user, see Managing Passwords for IAM Users.
It's a best practice to change your passwords on a regular basis to avoid unauthorized use of your account. For more information, see the AWS Security Best Practices whitepaper.
Rotate and delete all AWS access keys
If you find AWS access keys that you no longer need or didn't create, delete the access keys.
If your application currently uses an access key, replace the key with a new one:
- First, create a second key. Then, modify your application to use the new key.
- Disable (but do not delete) the first key.
- If there are any problems with your application, reactivate the key temporarily. When your application is fully functional and the first key is in the disabled state, then delete the first key.
- Delete any IAM users that you didn't create.
Treat AWS access keys the same way you treat an account password:
- Don't provide access keys to anyone that you don't know and trust.
- Don't publish access keys to public websites or code repositories.
- Follow best practices when using or managing AWS access keys.
For instructions on determining which IAM user created a resource and restricting access, see How can I troubleshoot unusual resource activity with my AWS account?
For AWS security best practices, see the AWS Security Best Practices whitepaper.
Delete any potentially compromised IAM users
- Open the IAM console.
- Choose each IAM user from the list, and then check under Permissions policies for a policy called AWSExposedCredentialPolicy_DO_NOT_REMOVE. If the user has this attached policy, you must delete the user.
- Delete any IAM users that you didn't create.
- Change the password for IAM users that you created and want to keep.
Delete any unrecognized or unauthorized resources
Sign in to your AWS account, and then check that all the resources on your account are resources that you launched. Be sure to check all AWS Regions, even Regions where you never launched AWS resources. Pay special attention to the following:
- EC2 instances and AMIs, including instances in the stopped state
- EBS volumes and snapshots
- AWS Lambda functions and layers
To delete Lambda functions and layers, do the following:
- Open the Lambda console.
- In the navigation pane, choose Functions.
- Select the functions that you want to delete.
- For Actions, choose Delete.
- In the navigation pane, choose Layers.
- Select the layer that you want to delete.
- Choose Delete.
If you're not sure how to delete a resource associated with a particular AWS service, find the service's documentation at AWS Documentation.
Contact AWS Support
If you received a notification from AWS about your account, sign in to the AWS Support Center and respond to the notification.
If you can't sign in to your account, use the Contact Us form to request help from AWS Support.
If you have any questions or concerns, create a new AWS Support case in the AWS Support Center.
Note: Don't include sensitive information in your correspondence, such as AWS access keys, passwords, or credit card information.
Use AWS Git projects to scan for evidence of compromise
AWS offers Git projects you can install that can help you protect your account:
- Git Secrets can scan merges, commits, and commit messages for secret information (that is, access keys). If Git Secrets detects prohibited regular expressions, it can reject those commits from being posted to public repositories.
- Use AWS Step Functions and AWS Lambda to generate Amazon CloudWatch Events from AWS Health or by Trusted Advisor. If there is evidence that your access keys are compromised, the projects can help you to automatically detect, log, and mitigate the event.