How to identify and stop a compromised AWS account

October 26, 2021 Claranet Limited


Did you know that 72 percent of businesses worldwide allow third parties to access their sensitive data?

Whether through malicious intent or accident, unauthorised access to your networks can pose a huge security risk. If your data is breached, you could face eye-watering [regulatory fines] reputational damage, and downtime.

However, while this may sound all doom and gloom - don't panic. We've got some useful advice to share.

Read on to discover how to identify and stop a compromised AWS account.


Intruder alert: How do you identify an unauthorised user?

There are two sides to this coin. You can either identify an unauthorised user before your AWS account is compromised or afterwards - it all depends on the security mechanisms you have in place.

For the former, we suggest completing regular AWS security audits. These audits will give you the opportunity to remove relevant 'unauthorised' IAM users, permissions and policies. This is especially important for the off boarding process; employees who leave your organisation shouldn't have access to your sensitive AWS data.

If it's already too late, you should be able to identify an unauthorised third party by:

  • Receiving a notification from AWS stating that your account or resource has been compromised.
  • Checking the AWS Management Console to see if there are any unusual new resources.
  • Looking at your AWS bill and identifying anything out of the ordinary. (This could be new resources or a resource in a new AWS region.)

If your account is indeed compromised, your next course of action is to firefight the issue.


4 immediate actions to take

In these scenarios, time is of the essence. The sooner you act, the less damage you'll face. With that in mind, here are four actions to take if a third party compromises your AWS account.

1. Delete relevant access keys and IAM users

If your AWS application uses an access key, make sure you replace it. This is a case of creating a second key and modifying your application/s to use the new version. On top of this, you'll also want to delete all access keys you're no longer using.

You should treat these keys like passwords, and ensure you don't pass them on to unauthorised individuals (or make them publicly available).

In the case of identity and access management (IAM) users, change the passwords of any accounts you want to keep and delete any accounts you didn't create.

You can find more of AWS's best practices around access keys and IAM here.

2. Delete flagged resources

As we stated earlier, it's important to carefully check your AWS account for any anomalies and make a note of the AWS regions for each resource. Naturally, you'll want to terminate any resources you didn't launch.

That said, if you need to keep the instance for further investigation, you may need to back it up first.

3. Reach out to AWS support

Did you receive a 'suspicious activity' alert from AWS? If so, you'll want to log into the AWS Support Centre and respond to the notification.

If you're unsure about the claim, or you'd like support, raise a case with the AWS team. Just make sure you don't reveal any sensitive data within any queries you send. This includes passwords, access keys, and credit card details.

On top of this, ensure that all of your account details are up-to-date and verified. AWS won't be able to provide you with the right support if your details are incorrect.

4. Enable MFA

If you haven't already, enable multi-factor authentication (MFA) for all of your account users, not just the root user. You can do this via the AWS Management Console.

It's also worth attaching tags to any of your virtual MFA devices.


Going forward: 4 important next steps

Depending on the reason behind the incident, you may have to take further actions to ensure history doesn't repeat itself. This is particularly necessary if the unauthorised access was the result of employee error.

Here are some of our tips to ensure you don't fall foul of a breach again.

1. Train your employees

When asked what the best defence against cyberthreats was, 38 percent of IT professionals placed the most emphasis on cybersecurity training.

Indeed, training your employees can go a long way to detecting threats or, better still, preventing them altogether.

So, if you feel like there are some gaps in your teams' knowledge, adopt the training services of a reputable expert. At Claranet, we have beginner, intermediate and advanced levels of security training, and our courses dive into everything from security awareness to infrastructure hacking.

2. Conduct periodic audits

Audits are essential for maintaining the security of your AWS account.

You should conduct these security audits on a regular basis, and not just in special circumstances. (I.e. if an employee leaves or you've added/removed a piece of software from your account.)

Ultimately, they can flag out-of-date policies and highlight any unauthorised users and permissions.

3. Perform regular penetration tests

AWS customers are entitled to carry out penetration tests on permitted AWS services, such as Amazon RDS and Amazon Aurora.

These tests allow you to examine your AWS security policies and see whether your team is able to prevent, detect and expel a hacking attempt. If you fail a penetration test, it's a good indicator that you need further security improvements.

4. Invest in threat detection and response

Finally, you'll want to adopt 24/7 threat detection for your AWS account (and all of your systems!). This will secure your perimeters and ensure no threat slips through the cracks.

If you've already suffered from a compromised account, this is vital for future prevention.

AWS GuardDuty is a brilliant defence against malicious activity across your AWS accounts and services. The tool continuously monitors your workloads and presents you with detailed insights into the issues and how to remedy them.


Protect your AWS account with the experts

Compromised cloud accounts can be a terrifying ordeal. But they're not insurmountable.

Fortunately, even if you do face unauthorised access, there are immediate actions you can take to reduce the damage.

However, we understand that not every business has the skills, resources or time to continually monitor and protect their AWS account and workloads. If you find that this is a problem for your organisation, it may be time to enlist the help of a trusted AWS Managed Security Service partner.

At Claranet, we protect your AWS environment through:

  • Vulnerability management
  • Cloud security best practices
  • Threat detection and response
  • Network security
  • Host and endpoint security
  • Application security

So, if you're in need of a helping hand, give us a call. We'd love to resolve your AWS security headache.



Previous Article
How to start your career in cybersecurity
How to start your career in cybersecurity

Cybersecurity jobs are in demand more than ever before – great news for anyone thinking of starting their c...

Next Article
Can You Cut the Cost of Penetration Testing to Match Your Budget?
Can You Cut the Cost of Penetration Testing to Match Your Budget?

Can you reduce the cost of pen testing? We answer that questions and more in our blog.