The benefits of cloud adoption are clear: greater speed, agility and efficiency. But it also comes with new challenges,...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
and a single security breach can quickly shut down an entire business.
The accessibility of public cloud opens the door for the exploitation of insecure infrastructure access points. That makes it increasingly difficult -- and important -- to protect data and workloads, as industries become more and more dependent on the cloud.
Compromised AWS accounts are highly dangerous for enterprises. Whatever the cause -- external hacking or a disgruntled employee -- the first order of business is to isolate the affected AWS accounts and minimize damage before it is too late.
Negate the damage of hacked AWS accounts
If you have a compromised AWS Identity and Access Management (IAM) user account, immediately disable its access and privileges. Follow this step-by-step procedure:
- Go to the IAM console, and detach all policies connected to the user. This halts that user from making any further action if he or she is already logged in to the web console.
- Next, go to the Security credentials tab, and disable the account's console password and access keys.
- After you stop the compromised account from causing more harm, assess the damage already done. If the user deleted data, it is most likely lost forever -- unless you have backups. But if the user started some resources -- to cause financial damage, for example -- you should immediately locate and stop them. AWS CloudTrail helps with this, as it provides logs and visibility into all API calls a user makes. This helps administrators track down changes in their infrastructure if, for example, the attacker opened a port in a security group for later exploitation.
- Next, make sure you check and rotate all of your AWS credentials. Also, be sure to assess Active Directory or Lightweight Directory Access Protocol if applicable. CloudTrail can help identify which AWS accounts are compromised, so make sure to enable CloudTrail logging to contain the attack and perform the post-mortem analysis.
If an AWS root account is compromised, you have a much more significant problem. If the attacker gained access to the root account and changed the password, contact AWS support, and wait for a specialist to retrieve your account, which could take up to 24 to 48 hours. During that time, you should review the best practices to secure your account, because there's not much else you can do.
Use best practices to boost your AWS security
Boost AWS security with multifactor authentication
Use IAM to gain control over multiple AWS accounts
Dig Deeper on AWS compliance, governance, privacy and regulations
Related Q&A from Ofir Nachmani
Do you trust a cloud vendor's native cost analysis tools? In reality, both provider-native and third-party cost management systems are only as ...continue reading
Recent partnerships show Amazon's intentions to tap into the hybrid cloud market. While there's a lot of promise, there are still many features ...continue reading
AWS users in the US-East-1 region have seen a string of outages in the last few years. But does that mean they shouldn't deploy workloads there?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.