momius - Fotolia
The benefits of cloud adoption are clear: greater speed, agility and efficiency. But it also comes with new challenges, and a single security breach can quickly shut down an entire business.
The accessibility of public cloud opens the door for the exploitation of insecure infrastructure access points. That makes it increasingly difficult -- and important -- to protect data and workloads, as industries become more and more dependent on the cloud.
Compromised AWS accounts are highly dangerous for enterprises. Whatever the cause -- external hacking or a disgruntled employee -- the first order of business is to isolate the affected AWS accounts and minimize damage before it is too late.
Negate the damage of hacked AWS accounts
If you have a compromised AWS Identity and Access Management (IAM) user account, immediately disable its access and privileges. Follow this step-by-step procedure:
- Go to the IAM console, and detach all policies connected to the user. This halts that user from making any further action if he or she is already logged in to the web console.
- Next, go to the Security credentials tab, and disable the account's console password and access keys.
- After you stop the compromised account from causing more harm, assess the damage already done. If the user deleted data, it is most likely lost forever -- unless you have backups. But if the user started some resources -- to cause financial damage, for example -- you should immediately locate and stop them. AWS CloudTrail helps with this, as it provides logs and visibility into all API calls a user makes. This helps administrators track down changes in their infrastructure if, for example, the attacker opened a port in a security group for later exploitation.
- Next, make sure you check and rotate all of your AWS credentials. Also, be sure to assess Active Directory or Lightweight Directory Access Protocol if applicable. CloudTrail can help identify which AWS accounts are compromised, so make sure to enable CloudTrail logging to contain the attack and perform the post-mortem analysis.
If an AWS root account is compromised, you have a much more significant problem. If the attacker gained access to the root account and changed the password, contact AWS support, and wait for a specialist to retrieve your account, which could take up to 24 to 48 hours. During that time, you should review the best practices to secure your account, because there's not much else you can do.
Use best practices to boost your AWS security
Boost AWS security with multifactor authentication
Use IAM to gain control over multiple AWS accounts
Dig Deeper on AWS management
Related Q&A from Ofir Nachmani
Get a cloud expert's take on the technical factors involved in the Capital One data breach that exposed sensitive data of millions of the bank's ... Continue Reading
While Amazon CloudFront can make traffic spikes more manageable, IT teams still need to carefully prepare their environment for these increases in ... Continue Reading
Some AWS users should consider a third-party tool to find better visibility into their network infrastructure and traffic patterns instead of relying... Continue Reading