How can I troubleshoot unusual resource activity with my AWS account?

Last updated: 2019-10-10

I want to determine which AWS Identity and Access Management (IAM) user created a resource and restrict access.

Short Description

Unauthorized account activity, such as new services unexpectedly launched, can indicate that your AWS credentials are compromised. Someone with malicious intent can use your credentials to access your account and perform activities permitted by the policies. For more information, see My AWS account may be compromised and the AWS Customer Agreement.

Resolution

Identify the compromised IAM user and access key. Then, disable them. Use AWS CloudTrail to search for API event history associated with the compromised IAM user.

In the following example, an Amazon Elastic Compute Cloud (Amazon EC2) instance launched unexpectedly.

Note: These instructions apply to long-term security credentials, not temporary security credentials. To disable temporary credentials, see Disabling Permissions for Temporary Security Credentials.

Identify the Amazon EC2 instance ID

  1. Open the Amazon EC2 console, and then choose Instances.
  2. Choose the EC2 instance, and then choose the Description tab.
  3. Copy the Instance ID.

Locate the IAM access key ID and user name used to launch the instance

  1. Open the CloudTrail console, and then choose Event history.
  2. Select the Filter drop-down menu, and then choose Resource name.
  3. In the Enter resource name field, paste the EC2 instance ID, and then choose enter on your device.
  4. Expand the Event name for RunInstances.
  5. Copy the AWS access key, and take note of the User name.

Disable the IAM user, create a backup IAM access key, and then disable the compromised access key

  1. Open the IAM console, and then paste the IAM access key ID in the Search IAM bar.
  2. Choose the user name, and then choose the Security credentials tab.
  3. In Console password, choose Manage.
    Note: If the AWS Management Console password is set to Disabled, you can skip this step.
  4. In Console access, choose Disable, and then choose Apply.
    Important: Users whose accounts are disabled can't access the AWS Management Console. However, if the user has active access keys, they can still access AWS services using API calls.
  5. Follow the instructions to rotate access keys for an IAM user without interrupting your applications (console).
  6. For the compromised IAM access key, choose Make inactive.

Review CloudTrail event history for activity by the compromised access key

  1. Open the CloudTrail console, and then choose Event history from the navigation pane.
  2. Select the Filter drop-down menu, and then choose AWS access key filter.
  3. In the Enter AWS access key field, enter the compromised IAM access key ID.
  4. Expand the Event name for the API call RunInstances.
    Note: You can view event history for the last 90 days.

You can also search CloudTrail event history to determine how a security group or resource was changed and API calls that run, stop, start, and terminate EC2 instances.

For more information, see Viewing Events with CloudTrail Event History.