Has Your AWS Account Been Hacked? A Deep Dive into Detecting and Securing Your AWS Account.

If you suspect your AWS has been compromised, here are some steps you can undertake to investigate:

1. Check for Unexpected Resource Usage: Monitor your AWS resources and usage patterns. A sudden spike in data transfer or an unusual increase in operations could indicate a problem. AWS provides various tools like AWS Trusted Advisor and AWS Cost Explorer to help you monitor your usage.
2. Check Your Bill: A sudden spike in your AWS bill could indicate unauthorised use of resources. Review your bill for any significant changes and check charges by services on your billing dashboard. Use the Billing dashboard to examine charges by services, enabling you to identify any significant changes in your AWS bill that might indicate unauthorised usage.
3. IAM Access Analyzer: Leverage AWS IAM Access Analyzer to scrutinise IAM user activity. Delete unused IAM users and review IAM roles shared with external entities. Keep an eye on password change dates to ensure security hygiene.
4. IAM Credential Report: Regularly check the IAM Credential Report for new users, changed passwords, and last usage dates/times. Identify any unexpected activity and take immediate action to rectify and investigate further.
5. Check CloudTrail: To investigate a potential AWS account compromise, use AWS CloudTrail. It records AWS environment activity and retains logs for 30 days. The default search shows non-read-only events, meaning actions that have changed your resources. Look for unusual logins, unexpected ‘assume role’ events, reconnaissance activity (like unusual API calls), and other abnormal behavior. Examine your AWS CloudTrail logs for unauthorized access or unusual API activity. AWS logs every sign-in event to the AWS Management Console. Review CloudTrail logs for any sign-in events that you don’t recognize. Look for events that occurred at unusual times or from unfamiliar IP addresses. Understanding your regular usage patterns will help you spot anomalies that could indicate a compromise.
6. Examine IAM Policies and Roles:

Review your IAM policies and roles to ensure they haven’t been altered. Unexpected changes could be a sign that an attacker has gained access to your account. 7. Check AWS Security Hub:

AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts. It can help you identify potential security issues.

Once you’ve completed the investigation, it’s time to secure your account. Here are some steps to take:

1. Establish an Incident Response Plan: Develop and regularly update an incident response plan specific to AWS. Ensure your team is trained to respond swiftly to any potential security incidents and work with AWS Support if necessary.

2. Change the AWS Account Root User Password: This is a crucial first step in securing your account. Immediately change the AWS account root user password to enhance security and prevent unauthorised access.

3. Rotate and Delete Access Keys: Regularly rotate and delete both root and IAM access keys to mitigate the risk of unauthorised access through compromised credentials.

4. Delete Unwanted Resources: Regularly review and delete resources that you did not create to minimise the attack surface and potential points of compromise.

5. Revoke Active Sessions: Revoking IAM role temporary security credentials. Ensure all active sessions are revoked to invalidate temporary credentials from previous sessions. This step is crucial in preventing unauthorised access.

6. Create Account Alias: Customise your account ID with an alias for improved security and ease of use. Avoid displaying your account ID publicly and share the account alias link for access instead.

7. Enable Multi-Factor Authentication (MFA): Implement MFA for all accounts, adding an extra layer of security. Users should be prompted for MFA upon login, enhancing authentication security.

8. Password Policy: Establish a strong password policy, requiring passwords to be at least 10 characters long, expire in 90 days, and prevent password reuse.

9. Set up AWS CloudWatch Alarms: AWS CloudWatch allows you to set up alarms for specific events or thresholds. Establish alarms for activities that could indicate a compromise, such as multiple failed login attempts or changes to security group configurations.

10. Billing Alerts and AWS Cost Anomaly Detection: Set up cost budgets and billing alerts to monitor and control spending. Additionally, enable AWS Cost Anomaly Detection to identify unexpected and abnormal spending using machine learning.

11. Create IAM Admin Account: Avoid using the root account for everyday activities. Instead, create an IAM account with administrative privileges, enabling you to lock away the root account securely.

12. Enable AWS GuardDuty:

    AWS GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior. It can help you detect unusual API calls or potentially unauthorized deployments indicating account compromise.

13. IAM Policy Validator for AWS CloudFormation. This open-source command-line tool, also known as cfn-policy-validator, is a powerful asset that scrutinises IAM policies within a CloudFormation template using the IAM Access Analyser.

    It’s designed to seamlessly integrate into your CI/CD pipeline, halting deployment if it detects an issue with IAM policies.

    By incorporating this tool into your security strategy, you can ensure that any changes to IAM policies are thoroughly validated before deployment, significantly enhancing the security of your AWS account.

14. Use AWS Config Rules: AWS Config allows you to set up rules to enforce compliance and security standards. Create custom rules to monitor for specific activities that could indicate a compromise, such as changes to network configurations or the creation of new IAM users.

15. Turn on VPC Flow Logs: Virtual Private Cloud (VPC) Flow Logs capture information about the traffic going to and from your VPC. Analyze these logs to detect any unusual patterns, such as traffic to unfamiliar IP addresses or unexpected spikes in data transfer.

16. Regularly Scan for Vulnerabilities: Conduct regular vulnerability assessments on your AWS resources using tools like AWS Inspector or third-party solutions. Address any identified vulnerabilities promptly to reduce the risk of exploitation by malicious actors.

This article is a quick run-through on how to secure your AWS account. But remember, security isn’t a one-and-done thing.

At DoiT International, our AWS security experts offer a holistic AWS security posture assessment that dives deep into your entire AWS organization. This assessment is rooted in industry best practices and involves running approximately 300 checks against your AWS resources to ensure optimal configurations. We leverage 27 of the market’s leading security benchmarks to provide a thorough and rigorous evaluation.

Our goal is to help you identify any potential vulnerabilities and provide actionable recommendations to enhance your AWS security posture. Trust the expertise of our AWS security professionals to help you maintain the highest level of security for your AWS environment.

If you’d like to know more or are interested in our services, don’t hesitate to get in touch. You can contact us here.