Account credential stolen -


Hi all, my credential have been stolen. I changed my account password, but i am affraid that access keys are now in other hands. I have EC2, RDS and VCP istances up and running. How i can ensure that nobody could push any unouthorized code? Should i change all the keys? If yes how i can i do it properly?

Also how i cna be sure that no other instances have been initiated?

Any other aspect to verify to restore the full security of the web?

Thank you


2 Answers
Accepted Answer

Greetings, I am sorry to hear that your credentials have been stored. Since AWS credentials have been compromised, follow these condensed steps to secure your account:

Rotate Access Keys: Immediately change access keys for all IAM users. Do this via the IAM console by creating new keys and deactivating the old ones.

Audit AWS Environment: Use AWS CloudTrail logs to check for unauthorized activities. Verify all EC2, RDS, and VPC instances for any unrecognized resources and terminate if necessary.

Enable Multi-Factor Authentication (MFA): Set up MFA for your AWS account and for IAM users to add an extra layer of security.

Review and Tighten IAM Policies: Ensure IAM policies adhere to the principle of least privilege.

Monitor with CloudWatch: Set up Amazon CloudWatch alarms for unusual activity monitoring.

Contact AWS Support: If you suspect further compromise, contact AWS Support for assistance.

Review External Dependencies: Check external services linked to your AWS account for potential compromises and rotate shared keys or tokens.

Educate Your Team: Make sure your team is aware of the security incident and understands the importance of following security best practices.

Taking these actions quickly can help mitigate risks and secure your AWS environment against unauthorized access.

Please let me know if you have any questions.

answered 2 months ago

Some tasks to perform. What access does your User account have? They could only make changes within your permission boundary

  • Re-issue all keys for all users.
  • Reset all users password credentials
  • Review ALL roles and their Trusts because a role could trust an account from an external account
  • Review all newly created users, roles
  • Check for newly created IDPs
  • Check for any org creation/sub accounts
  • Review all newly created resources
  • Review all newly created security groups
profile picture
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions