The benefits of cloud adoption are clear: greater speed, agility and efficiency. But it also comes with new challenges,...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
and a single security breach can quickly shut down an entire business.
The accessibility of public cloud opens the door for the exploitation of insecure infrastructure access points. That makes it increasingly difficult -- and important -- to protect data and workloads, as industries become more and more dependent on the cloud.
Compromised AWS accounts are highly dangerous for enterprises. Whatever the cause -- external hacking or a disgruntled employee -- the first order of business is to isolate the affected AWS accounts and minimize damage before it is too late.
Negate the damage of hacked AWS accounts
If you have a compromised AWS Identity and Access Management (IAM) user account, immediately disable its access and privileges. Follow this step-by-step procedure:
- Go to the IAM console, and detach all policies connected to the user. This halts that user from making any further action if he or she is already logged in to the web console.
- Next, go to the Security credentials tab, and disable the account's console password and access keys.
- After you stop the compromised account from causing more harm, assess the damage already done. If the user deleted data, it is most likely lost forever -- unless you have backups. But if the user started some resources -- to cause financial damage, for example -- you should immediately locate and stop them. AWS CloudTrail helps with this, as it provides logs and visibility into all API calls a user makes. This helps administrators track down changes in their infrastructure if, for example, the attacker opened a port in a security group for later exploitation.
- Next, make sure you check and rotate all of your AWS credentials. Also, be sure to assess Active Directory or Lightweight Directory Access Protocol if applicable. CloudTrail can help identify which AWS accounts are compromised, so make sure to enable CloudTrail logging to contain the attack and perform the post-mortem analysis.
If an AWS root account is compromised, you have a much more significant problem. If the attacker gained access to the root account and changed the password, contact AWS support, and wait for a specialist to retrieve your account, which could take up to 24 to 48 hours. During that time, you should review the best practices to secure your account, because there's not much else you can do.
Use best practices to boost your AWS security
Boost AWS security with multifactor authentication
Use IAM to gain control over multiple AWS accounts
Dig Deeper on AWS compliance, governance, privacy and regulations
Related Q&A from Ofir Nachmani
AWS users in the US-East-1 region have seen a string of outages in the last few years. But does that mean they shouldn't deploy workloads there?continue reading
Reserved Instances save IT teams money on compute resources but lock them into a particular type of instance. How do Convertible RIs differ, and what...continue reading
Our environment has multiple AWS accounts for different dev stages. How can we use the IAM cross-account feature to share resources across accounts?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.