Unauthorized Activity in Your Account – Incident Response – SCS-C02 Study Guide

Unauthorized Activity in Your Account

If you receive a notice from AWS support that there has been abuse in your account or if you suspect that there has been unauthorized activity in your account, the following steps can help you confirm that it was an actual unauthorized activity:

  • Validate if any resources have been created illegitimately.
  • Validate any unauthorized access or changes to your account.
  • Validate any unauthorized actions that have been performed in the IAM service, including adding or modifying managed policies, users, or roles.
  • Run the credential report for your AWS account to see when the last time each password and access key/secret key was used for each IAM user.
  • Run the Trusted Advisor Reports to see if new violations have appeared since the last time you ran your report.
  • Go to the AWS Cost Explorer and verify that extra resources have not been spun up (and possibly spun down) since the time you suspect the abuse.

What to Do if You Do Find Traces of Abuse

If performing the preceding steps shows signs of abuse in your account or illegitimate activity in your account, then you should take the following steps:

  1. Rotate and delete any exposed access keys / secret access keys:
    1. Create a new AWS access key and secret access key in AWS IAM.
    1. Alter any applications using the previous access key to use the new access key.
    1. Deactivate the original access key only. Do not delete the original access key that is compromised yet.
    1. After verifying that your applications are fully operational with the new access key, you can go back and delete the original access key.
    1. Delete any root account access keys you do not use or did not create.
  2. Remove and rotate credentials for potentially compromised IAM users:
    1. Navigate to the IAM console.
    1. Choose users from the left-hand navigation pane so that a list of users from your account appears.
    1. Delete any users that you (or your team) did not create. Running the IAM access analyzer tool will allow you to see any recently created users and show any usernames that do not conform to your corporate policy.
    1. Moving back to the list of IAM users, select the name of the first IAM user on the list so that the IAM user’s summary appears.
    1. In the Permissions tab, under the Permissions policies section, search for the policy named AWSExposedCredentialPolicy_DO_NOT_REMOVE. If the user already has this policy attached, you can go ahead and rotate the access keys for the user.
    1. Replicate Step III and Step IV for all the users listed in your account.
    1. Change all passwords for all users in your account.
  3. Verify your account information: Go to your account contact information and verify that the following is still correct:
    1. Your account name and email address
    1. Your contact information, including your phone number
    1. Any alternative contacts that you have put on your AWS account

Now that you know how to deal with an incident regarding unauthorized access into our AWS account, you can learn how to isolate an EC2 instance that you suspected of suspicious behavior to examine it further.