My AWS Account is hacked! I am being billed for Services which I have not used!!! What can I do now?



Few months back I have posted my journey towards AWS Certified Solution Architect – Associate exam. The link can be found below,

 

http://ahirjoy.blogspot.com/2022/06/how-i-passed-aws-certified-architect.html

 

However, while my cloud journey was going on well, there was a rude shock when I realized that my account got hacked. Though I was on long leave last month, I observed that my billing was increasing exponentially everyday though I was sure that I did not have any services running. Still I logged in to my AWS account to verify the same as I started getting unusual usage alert from AWS support also by then. To my surprise, I found many EC2 instances, VPCs and policies were created for my account which were very much active! Also, I found one subscription NVIDIA GPU Optimized AMI was subscribed for me in AWS marketplace!!!

 

I got panicked. I Immediately closed the account. However, to my disappointment I received communication from AWS support that unless the account is secured, it can’t be closed cleanly and services may be still in use and I would be billed based on that continuously! (Strange?)

 

So I contacted few kind CloudGurus in my Circle and AWS support who were kind enough to guide me through the entire process of securing my AWS account. I am so much thankful to all of them and I am consolidating the steps below in great detail hoping it may help someone else in the time of need one day!

 

Step 1: Change your AWS root account password immediately.

See the root account password change guide: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_change-root.html .

 

Also, enable Multi Factor Authentication (MFA) without second thought!

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root 

 

 

As a further precaution, it is recommended to change your email password and passwords for other websites to help protect your account from being compromised again.

 

Step 2: Check your CloudTrail log for unsanctioned activity such as creation of unauthorized IAM users, policies, roles or temporary security credentials. To secure your account please delete any unauthorized IAM users, roles, and policies, and revoke any temporary credentials. NOTE: You cannot revoke temporary credentials obtained via the root user.

 

For more information see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_disable-perms.html#denying-access-to-credentials-creator .

 

1. To delete unauthorized IAM users, go here: https://console.aws.amazon.com/iam/home#users .

 

2. To delete unauthorized policies, go here: https://console.aws.amazon.com/iam/home#/policies .

 

3. To delete unauthorized roles, go here: https://console.aws.amazon.com/iam/home#/roles .

 

4. You can revoke temporary credentials by following the instructions here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_disable-perms.html#denying-access-to-credentials-by-issue-time .

 

Temporary credentials can also be revoked by deleting the IAM User. NOTE: Deleting IAM users may impact production workloads and should be done carefully. Step 3.

 

Do the following to check and delete for unauthorized AWS usage: -

 

1. Check your CloudTrail logs - Check your “Bills” page: https://console.aws.amazon.com/billing/home#/bill

 

2. Check Cost Explorer: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ce-what-is.html

Some common usage types to check for are EC2 instances, EC2 Spot bids, Lambda functions, AMIs, EBS volumes, EBS snapshots, Lightsail instances, and Sagemaker notebook instances. For help with deleting resources associated with these services, see the following:

 

3. EC2 instances: 

https://aws.amazon.com/premiumsupport/knowledge-center/delete-terminate-ec2/

 

4. EC2 Spot bids: 

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-requests.html#terminating-a-spot-instance

 

5. Lambda functions: 

https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html#gettingstarted-cleanup

 

6. AMIs: 

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/deregister-ami.html

 

7. EBS volumes:

 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-volume.html

 

8. EBS snapshots: 

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-snapshot.html#ebs-delete-snapshot

 

9. Lightsail instances: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/delete-an-amazon-lightsail-instance

 

10. Sagemaker notebook instances: https://docs.aws.amazon.com/sagemaker/latest/dg/ex1-cleanup.html

 

Keep in mind that unauthorized usage can occur in any AWS Region and that your console may show you only one Region at a time. To switch between Regions, you can use the dropdown in the upper-right corner of the console screen.

 

Please note that for security reasons, AWS Support cannot terminate customer resources on your behalf, you need to follow the above steps as specified in the above links/documentation. but please follow these steps to delete any unauthorized resources:

 

Delete VPCs:

 

1. Select the security groups that are not marked as 'Yes' under "Default VPC"

2. Select in 'Actions'

3. Select 'Delete VPC'.

4. Change the region and repeat the steps above.

 

 EC2 security groups

 

If unauthorized: Select the security groups that are not named as 'default' > Select in 'Actions' > Select 'Delete security groups'. ~ EC2 Key Pairs

 

To delete the Key Pair: 1. Log into the EC2 console

2. On the left panel choose Key Pairs.

3. Select the key pair you want to delete.

4. Select Actions > Delete.

 

With regards to the FES and Backup Roles : 

 

Firstly, Please check if you have any backup vaults related to the Elastic file system service (EFS) here: If yes, please follow the steps provided in the documentation here to disable them: https://aws.amazon.com/premiumsupport/knowledge-center/efs-disable-automatic-backups/ ** The document also contains a video for reference. Once you clear the back up storage for EFS you should be able to delete the IAM roles related to the same. >>

 

To delete unauthorized roles, go here:

https://console.aws.amazon.com/iam/home#/roles If you are unable to find any backup vaults, please write back to us along with the screenshot of the same so that we can have our internal team investigate on it further.

 

To delete Root User Keys go here:

https://console.aws.amazon.com/iam/home#security_credential . If your application uses the exposed Access Key, you need to replace the Key. To replace the Key, first create a second Key (at that point both Keys will be active) and then modify your application to use the new Key. Then disable (but do not delete) the exposed Key by clicking on the “Make inactive” option in the console. If there are any problems with your application, you can reactivate the exposed Key. When your application is fully functional using the new Key, please delete the exposed Key. NOTE: Only rotating and deleting the exposed key may not be sufficient to protect your account, see Step 2. Step 2: Check your CloudTrail log for unsanctioned activity such as creation of unauthorized IAM users, access keys, login profiles, policies, roles or temporary security credentials. To secure your account please delete any unauthorized IAM users, access keys, login profiles, roles, and policies, and revoke any temporary credentials. NOTE: You cannot revoke temporary credentials obtained via the Root User. For more information see:

 

Finally you must set up at least two of the following services to monitor cost and usage: https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html#create-cost-budget (** recommended)

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/gs_monitor_estimated_charges_with_cloudwatch.html#gs_creating_billing_alarm (** recommended)

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html

https://docs.aws.amazon.com/waf/latest/developerguide/getting-started.html

https://docs.aws.amazon.com/awssupport/latest/user/get-started-with-aws-trusted-advisor.html

 

For more information about managing your AWS cost and usage, see the following: https://docs.aws.amazon.com/cost-management/latest/userguide/what-is-costmanagement.html ======

 

2. You must set up at least one of the following security best practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root (** recommended) https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html ======

 

3. Confirm that you have read the AWS Customer Agreement and Shared Responsibility Model: https://aws.amazon.com/agreement/ https://aws.amazon.com/compliance/shared-responsibility-model/ ======

 

After all these are done, you can request AWS Support for consideration of Billing Adjustment and hope for the best. But please note that even AWS considers your request once (as it was for me, I am really grateful for that), if you are careless with your account security, they will not consider again as securing one’s account is user’s responsibility. So please, please take the security measures very seriously. 

 

Best of luck!


Comments

Post a Comment

Popular posts from this blog

A Layman’s Guide to Personal Finance/Investing

      This blog is written considering people who have elementary knowledge on personal finance but enthusiastic about starting fresh towards the rewarding journey of investment. They should try to follow below simple steps to begin with, 1.        First analyze your income and expenses thoroughly, not only your big-ticket expenses like EMI, but even minute details like laundry expenses which will give you realistic picture how well   are you managing your income and expenditure.   2.        Create an emergency fund which should be no less than 3 months’ of your monthly income. This will act as a primary cushion for unemployment or unavoidable circumstances.   3.        Buy Family floater plan for you and your dependents even if you have an insurance from your company. This will be very helpful when you are out of job or even for buying individual coverage at a later stage of life.   4.        Buy a term insurance plan for your dependent to protect your family f
Read more

How I Passed AWS Certified Architect - Associate Exam (2022)

Image
  How I Passed AWS Certified Architect - Associate Exam (2022)                             Ahirjoy Biswas   (PMP, PMI-ACP, TOGAF 9.1)   I passed my exam on 30 th  May’22 in my first attempt. I am sharing my learning experiences here with you and will be really very happy if my experience helps someone else to crack the examination. Core Concepts:   i. Books  -    AWS Certified Solutions Architect Study Guide, Associate (SAA-C02)                   by Ben Piper and David Clinton   This is an excellent book which covers all Core Concepts in detail. Please go through the entire content at least twice. Very good for ready reference and revision. Considering the lazy person I am, I always prefer to read real books and take notes than carrying Kindle or laptop.     ii. Course -   You can go through “Ultimate AWS Certified Solution Architect Associate 2022” course by Stephane Maarek in Udemy which is the most popular course for AWS Associate in Udemy at present.   Almost every week Udemy offer
Read more

4 High Quality Udemy Courses for Web Developers and System Designers under $1 !!

  Please DO NOT spend lakhs on online FANG bootcamps or certifications from known/unknown universities! There are high quality courses available for all technical domains under Rs. 500/-. I am listing few Udemy courses for web developers and system designers. I prefer such courses than YouTube videos due to their structured content. Udemy offers discount on its courses almost every week when you can buy these courses. You can thank me later. :-) For Web Developers ----------------------- 1. The Complete 2023 Web Development Bootcamp by Dr Angela Yu https://lnkd.in/d6A73xJU 2. The Complete Web Developer in 2023 : Zero to Mastery by Andrei Neagoie https://lnkd.in/dvZT6W2n For System Designers ------------------------ 1. System Design Interview Guide for Software Architecture by Sandeep Kaul https://lnkd.in/dmdqnG2K 2. Mastering the System Design Interview by Frank Kane https://lnkd.in/dMS-nZGn
Read more