momius - Fotolia

Prevent hacked AWS accounts from wreaking havoc

Security should be a top priority in public cloud deployment, but breaches are still possible. If your AWS account has been hacked, follow these steps to minimize the impact.

The benefits of cloud adoption are clear: greater speed, agility and efficiency. But it also comes with new challenges, and a single security breach can quickly shut down an entire business.

The accessibility of public cloud opens the door for the exploitation of insecure infrastructure access points. That makes it increasingly difficult -- and important -- to protect data and workloads, as industries become more and more dependent on the cloud.

Compromised AWS accounts are highly dangerous for enterprises. Whatever the cause -- external hacking or a disgruntled employee -- the first order of business is to isolate the affected AWS accounts and minimize damage before it is too late.

Negate the damage of hacked AWS accounts

If you have a compromised AWS Identity and Access Management (IAM) user account, immediately disable its access and privileges. Follow this step-by-step procedure:

If you have a compromised AWS IAM user account, immediately disable its access and privileges.
  • Go to the IAM console, and detach all policies connected to the user. This halts that user from making any further action if he or she is already logged in to the web console.
  • Next, go to the Security credentials tab, and disable the account's console password and access keys.
  • After you stop the compromised account from causing more harm, assess the damage already done. If the user deleted data, it is most likely lost forever -- unless you have backups. But if the user started some resources -- to cause financial damage, for example -- you should immediately locate and stop them. AWS CloudTrail helps with this, as it provides logs and visibility into all API calls a user makes. This helps administrators track down changes in their infrastructure if, for example, the attacker opened a port in a security group for later exploitation.
  • Next, make sure you check and rotate all of your AWS credentials. Also, be sure to assess Active Directory or Lightweight Directory Access Protocol if applicable. CloudTrail can help identify which AWS accounts are compromised, so make sure to enable CloudTrail logging to contain the attack and perform the post-mortem analysis.

If an AWS root account is compromised, you have a much more significant problem. If the attacker gained access to the root account and changed the password, contact AWS support, and wait for a specialist to retrieve your account, which could take up to 24 to 48 hours. During that time, you should review the best practices to secure your account, because there's not much else you can do.

Next Steps

Use best practices to boost your AWS security

Boost AWS security with multifactor authentication

Use IAM to gain control over multiple AWS accounts

Dig Deeper on AWS management