What do I do if I notice unauthorized activity in my AWS account?

6 minute read
1

I see resources that I don't remember creating in the AWS Management Console. Or, I received a notification that my AWS resources or account might be compromised.

Short description

If you suspect unauthorized activity in your AWS account, then to verify if the activity was unauthorized, complete the following steps:

  • Identify unauthorized actions taken by the AWS Identity and Access Management (IAM) identities in your account.
  • Identify unauthorized access or changes to your account.
  • Identify the creation of unauthorized resources.
  • Identify the creation of unauthorized IAM resources, such as roles, managed policies, or management changes such as fraudulent linked accounts created in your AWS Organization.

Then, if you see unauthorized activity, follow the instructions in the If there was unauthorized activity in your AWS account section of this article.

Note: If you can't sign in to your account, then see What do I do if I'm having trouble signing in to or accessing my AWS account?

Resolution

Verify if there was unauthorized activity in your AWS account

Identify unauthorized actions taken by the IAM identities in your account

Complete the following steps:

  1. Determine the last time that each IAM user password or access key was used. For instructions, see Getting credential reports for your AWS account.
  2. Determine what IAM users, user groups, roles, and policies were used recently. For instructions, see Viewing last accessed information for IAM.

Identify unauthorized access or changes to your account

For instructions, see How can I monitor the account activity of specific IAM users, roles, and AWS access keys? Also, see How can I troubleshoot unusual resource activity with my AWS account?

Identify the creation of unauthorized resources or IAM users

To identify unauthorized resource usage, including unexpected services, Regions, or charges to your account, review the following:

Note: You can also use AWS Cost Explorer to review the charges and usage associated with your AWS account. For more information, see How can I use Cost Explorer to analyze my spending and usage?

If there was unauthorized activity in your AWS account

Important: If you received a notification from AWS about irregular activity in your account, then first do the following instructions. Then, respond to the notification in the AWS Support Center with a confirmation of the actions that you completed.

Rotate and delete exposed account access keys

Check the irregular activity notification sent by AWS Support for exposed account access keys. If there are keys listed, then complete the following steps for those keys:

  1. Create a new AWS access key.
  2. Modify your application to use the new access key.
  3. Deactivate the original access key.
    Important: Don't delete the original access key yet. Deactivate the original access key only.
  4. Verify that there are no issues with your application. If there are issues, reactivate the original access key temporarily to remediate the problem.
  5. If your application is fully functional after deactivating the original access key, then delete the original access key.
  6. Delete the AWS account root user access keys that you no longer need or didn't create.

For more information, see Best practices for managing AWS access keys and Managing access keys for IAM users.

Rotate potentially unauthorized IAM user credentials

Complete the following steps:

  1. Open the IAM console.
  2. In the left navigation pane, choose Users. A list of the IAM users in your AWS account appears.
  3. Choose the name of the first IAM user on the list. The IAM user's Summary page opens.
  4. In the Permissions tab, under the Permissions policies section, look for a policy named AWSCompromisedKeyQuarantineV2. If the user has this policy attached, then rotate the access keys for the user.
  5. Repeat steps 3 and 4 for each IAM user in your account.
  6. Delete IAM users that you didn't create.
  7. Change the password for all of the IAM users that you created and want to keep.

If you use temporary security credentials, then see Revoking IAM role temporary security credentials.

Check your AWS CloudTrail logs for unsanctioned activity

Complete the following steps:

  1. Open the AWS CloudTrail console.
  2. In the left navigation pane, choose Event history.
  3. Review for unsanctioned activity, such as the creation of access keys, policies, roles, or temporary security credentials.
    Important: Be sure to review the Event time to confirm if the resources were created recently and match the irregular activity.
  4. Delete access keys, policies, roles, or temporary security credentials that you identified as unsanctioned.

For more information, see Working with CloudTrail.

Delete unrecognized or unauthorized resources

Complete the following steps:

1.    Sign in to the AWS Management Console. Then, verify that all the resources in your account are resources that you launched. Be sure to check and compare the usage from the previous month to the current one. Make sure that you look for all resources in all AWS Regions, even in Regions where you never launched resources. Also, pay special attention to the following resource types:

2.    Delete unrecognized or unauthorized resources. For instructions, see How do I terminate active resources that I no longer need on my AWS account?

Important: If you must keep resources for investigation, then consider backing up those resources. For example, if you must retain an EC2 instance for regulatory, compliance, or legal reasons, then create an Amazon EBS snapshot before terminating the instance.

Recover backed-up resources

If you configured services to maintain backups, then recover those backups from their last known uncompromised state.

For more information about how to restore specific types of AWS resources, see the following:

Verify your account information

Verify that all of the following information is correct in your AWS account:

Note: For more information about AWS account security best practices, see What are some best practices for securing my AWS account and its resources?

Related information

AWS security incident response guide

AWS security credentials

AWS security audit guidelines

Best practices for Amazon EC2