If you suspect that your AWS account has been compromised and large EC2 instances were created by an unauthorized user, it’s critical to take immediate action to contain the breach and begin investigating. Follow these steps:
1. Immediate Containment
- Disable the Access Key and Secret Key: If you suspect that an access key has been compromised, immediately disable or delete it.
- Rotate All Access Keys: Rotate your AWS access keys (both for users and applications) to ensure that any potentially compromised keys are no longer valid.
- Stop or Terminate Unauthorized Resources: Identify and stop/terminate any unauthorized EC2 instances, as they can incur significant charges.
2. Secure Your Account
- Enable Multi-Factor Authentication (MFA): Ensure that MFA is enabled for all IAM users, especially for root and privileged accounts.
- Review and Update IAM Policies: Ensure your IAM policies follow the principle of least privilege. Remove any unnecessary permissions.
- Check for New IAM Users or Roles: Inspect the IAM console to see if any unauthorized users, groups, or roles were created.
- Change the Root Account Password: Even if you don’t suspect the root account was compromised, it’s a good practice to change its password.
3. Investigate the Breach
- Review CloudTrail Logs: Use AWS CloudTrail to examine logs for suspicious activities. Look for:
- Unauthorized API calls.
- Creation of new IAM users or roles.
- Large EC2 instances being launched.
- Changes to security group rules.
- Check the EC2 Console: Review the EC2 dashboard for any instances, volumes, or resources that you did not create.
- Review Billing and Usage: Monitor your billing dashboard to identify unusual spikes in charges. AWS Cost Explorer can provide more detailed information.
4. Audit IAM Access and Keys
- Review Active Access Keys: Use the IAM console or AWS CLI to list all active access keys for all users. Check when they were last used.
- Identify Unusual Login Locations: Check for logins or API calls from unexpected geographic locations using CloudTrail logs.
5. Take Remedial Action
- Limit Access Permissions: Temporarily limit permissions for all IAM users until you have a clear understanding of the breach.
- Review S3 Buckets and Permissions: If your account is compromised, S3 buckets could also be exposed. Check for any unauthorized access or changes to your buckets.
6. Contact AWS Support
- File a Support Case: Open a high-priority support case with AWS. They can help you secure your account and potentially provide additional information on the breach.
- Request a Cost Refund: If the unauthorized activity led to a significant charge, you may be eligible for a refund.
7. Enhance Security Posture
- Enable GuardDuty: GuardDuty is an AWS threat detection service that monitors for malicious activity and unauthorized behavior.
- Set Up Billing Alerts: Create billing alarms to notify you when your charges exceed a certain threshold.
- Use AWS Security Hub: Enable AWS Security Hub to get a comprehensive view of your security state and best practice recommendations.
8. Conduct a Post-Mortem Analysis
- Determine how the compromise occurred (e.g., leaked credentials, weak permissions, etc.).
- Implement stronger security controls to prevent future incidents.
- Regularly review access logs, IAM policies, and billing to quickly detect any suspicious activity in the future.
By following these steps, you can mitigate the current threat, understand what happened, and strengthen your security to prevent future incidents.