The benefits of cloud adoption are clear: greater speed, agility and efficiency. But it also comes with new challenges,...
and a single security breach can quickly shut down an entire business.
The accessibility of public cloud opens the door for the exploitation of insecure infrastructure access points. That makes it increasingly difficult -- and important -- to protect data and workloads, as industries become more and more dependent on the cloud.
Compromised AWS accounts are highly dangerous for enterprises. Whatever the cause -- external hacking or a disgruntled employee -- the first order of business is to isolate the affected AWS accounts and minimize damage before it is too late.
Negate the damage of hacked AWS accounts
If you have a compromised AWS Identity and Access Management (IAM) user account, immediately disable its access and privileges. Follow this step-by-step procedure:
- Go to the IAM console, and detach all policies connected to the user. This halts that user from making any further action if he or she is already logged in to the web console.
- Next, go to the Security credentials tab, and disable the account's console password and access keys.
- After you stop the compromised account from causing more harm, assess the damage already done. If the user deleted data, it is most likely lost forever -- unless you have backups. But if the user started some resources -- to cause financial damage, for example -- you should immediately locate and stop them. AWS CloudTrail helps with this, as it provides logs and visibility into all API calls a user makes. This helps administrators track down changes in their infrastructure if, for example, the attacker opened a port in a security group for later exploitation.
- Next, make sure you check and rotate all of your AWS credentials. Also, be sure to assess Active Directory or Lightweight Directory Access Protocol if applicable. CloudTrail can help identify which AWS accounts are compromised, so make sure to enable CloudTrail logging to contain the attack and perform the post-mortem analysis.
If an AWS root account is compromised, you have a much more significant problem. If the attacker gained access to the root account and changed the password, contact AWS support, and wait for a specialist to retrieve your account, which could take up to 24 to 48 hours. During that time, you should review the best practices to secure your account, because there's not much else you can do.
Use best practices to boost your AWS security
Boost AWS security with multifactor authentication
Use IAM to gain control over multiple AWS accounts
Dig Deeper on AWS compliance, governance, privacy and regulations
Related Q&A from Ofir Nachmani
Personnel changes are inevitable at an enterprise, and security teams need to revoke AWS credentials accordingly to ensure the integrity of their ... Continue Reading
To gain a Professional-level AWS certification, AWS requires at least two years of experience with its platform. But will it help your career, or is ... Continue Reading
If you get clumsy with AWS security, you can put your whole business at risk. Be wary of these common errors, and implement best practices to secure ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.