[AWS] AWS account hacking prevention and remediation measures

Modified on Fri, Oct 21, 2022 at 10:27 AM

Hello,

This is Bespin Global Cloud Technical Support Team.

 

We would like to show you how to request Cloud Technical Support through our customer support portal.

 

As Cloud security got more important, there are increasing number of account infringement cases.

Our team would like to inform you about AWS account hacking prevention and remediation measures.

 

 

" What happens if my account gets infringed?"

 

When there is infringement of the account, the most suspicious area is the cost.

If the cost is much higher compares to usual, you can question the account infringement.

 

Usually, the account infringement happens through the exposure of AWS account access key in public spaces like GitHub.

 

If AWS access key is leaked, unapproved user will be created without knowing, and that user will start to make resource resulting a large sum of cost.

 

If there is large sum compared to usual, take appropriate remediation according to the link below after checking if there is any unauthorized resources or users created:

 

 

#1 What do I do if I notice unauthorized activity in my AWS account?

https://aws.amazon.com/ko/premiumsupport/knowledge-center/potential-account-compromise/

 


 The first important point in the account hacking issue is that "the user is responsible for account security."

 

AWS security and compliance are considered joint responsibility of AWS and its customers.

Please note that you are also responsible for all activities that occur in your account.

 

Therefore, users are responsible for configuring the security group firewall provided by AWS to prevent the accounts from being compromised.

 

 

#2 AWS Shared Responsibility Model-

https://aws.amazon.com/ko/compliance/shared-responsibility-model/

 

 

 

The second most important point is "Prevention." 

It's best to proactively prevent your account from being compromised.

 

Below are AWS Security Best Practices recommended by AWS.

Please refer to the information and make efforts to secure your account.

 

1. Set MFA on Root account and IAM User

2. Beware of Access Key Leakage

3. Monitoring with CloudTrail

4. Instance Monitoring with CloudWatch

5, Security Audit with AWS Trusted Advisor

6. Cost monitoring through OpsNow Budgeting alarm feature

 

For more information, please refer to the links on AWS and OpsNow below.

 

#3 Security Best Practices for AWS IAM

https://docs.aws.amazon.com/ko_kr/IAM/latest/UserGuide/best-practices.html

 

#4 Best practices for account and resource protection

https://aws.amazon.com/ko/premiumsupport/knowledge-center/security-best-practices/

 

#5 AWS CloudTrail -

https://aws.amazon.com/ko/cloudtrail/getting-started/

 

#6 Monitor your instances using CloudWatch-

https://docs.aws.amazon.com/ko_kr/AWSEC2/latest/UserGuide/using-cloudwatch.html

 

#7 Security Audit with Trusted Advisor

https://aws.amazon.com/ko/premiumsupport/technology/trusted-advisor/best-practice-checklist/

 

#8 OpsNow Budgeting Alarm Features

https://metering.opsnow.com/guide/ko/user-guide-metering-ko.html#budgeting

 

 

 

 

The third important point is "follow-up."

 

If your account has been compromised and you receive a hacking-related Abuse report from AWS, you should take a minimum follow-up action on the already compromised account and reply to the case open.

 

If you do not reply to the Abuse report within 24 hours, AWS may block your resources or suspend your account.

 

1. Delete unauthorized resources

2. Change AWS root user password and all IAM user passwords

3. Replace and delete all AWS access keys

4. Delete unauthorized IAM users

 

For more information, please refer to the AWS link below, and if you have any difficulty in proceeding, please leave an inquiry on our Customer Support Portal.

 

#9 What do I do when I receive an abuse report from AWS about my resources?

https://aws.amazon.com/ko/premiumsupport/knowledge-center/aws-abuse-report/

 

If you have any questions or need assistance, please contact our Customer Support Portal.

Thank you.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article