I have read a number of horror stories on Reddit about Hacked AWS Accounts. The victims are left with an unplanned bill.
- My AWS account has been hacked and there is a +$4,000 USD (IN 2 DAYS) fraudulent charge, AWS SECURITY IS TERRIBLE
- Girlfriend lost AWS account - hacker has over $1k bill charged
- Account hacked change of email and password please help
- Account hacked and Services added. Now have huge bill
- AWS Account Hacked. Final billing decision to pay $33k
- My AWS account has been hacked, what can I do?
- Account hacked, email changed
Here's an excerpt from one of the noted above:
"I've only used AWS for student projects or learning about databases. I hadn't even logged into my account for months, maybe even a year! I And then someone hacked into my account and used up about $160k worth of resources within a week, and I didn't notice until I received an attempted charge from my bank account for it.
After some back and forth with the support team on cleaning up everything the hacker did on my account, the billing team graciously reduced my bill to $33k. While I felt bad that this incident cost Amazon $160k, I still can't pay off the new bill, and I tried to see if they can waive it, but it was their final decision."
Very sad right? YES!
Now what can we do so we never ever get into this kinda situation?
- AWS ROOT ACCOUNT: You should ONLY use the Root Account the first time you create the AWS account, enable MFA on the root account, create an IAM account with the required privileges (admin) and then lock the root account away. The link below has AWS best practices to protect your root account.
Reference:
[+] Best practices to protect your account's root user - https://docs.aws.amazon.com/SetUp/latest/UserGuide/best-practices-root-user.html
FOR CLI ACCESS, USE TEMPORARY CREDENTIALS: There are several options available for users / customers to explore:
AWS CLOUDSHELL - AWS CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the AWS Management Console. You can navigate to CloudShell from the AWS Management Console a few different ways. You can run AWS CLI commands using your preferred shell, such as Bash, PowerShell, or Z shell. And you can do this without downloading or installing command line tools. AWS CloudShell is an AWS service that's available at no additional charge. However, you pay for other AWS resources that you run with AWS CloudShell. The link below has more information about AWS CloudShell.
IAM ROLES ANYWHERE - You can use AWS Identity and Access Management Roles Anywhere to obtain temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of AWS. Your workloads can use the same IAM policies and IAM roles that you use with AWS applications to access AWS resources. Using IAM Roles Anywhere means you don't need to manage long-term credentials for workloads running outside of AWS. To use IAM Roles Anywhere, your workloads must use X.509 certificates issued by your certificate authority (CA). You register the CA with IAM Roles Anywhere as a trust anchor to establish trust between your public-key infrastructure (PKI) and IAM Roles Anywhere. You can also use AWS Private Certificate Authority (AWS Private CA) to create a CA and then use that to establish trust with IAM Roles Anywhere. AWS Private CA is a managed private CA service for managing your CA infrastructure and your private certificates. The links below has more information about IAM Anywhere.
AWS IAM IDENTITY CENTER (Formerly AWS SSO) AUTHENTICATION - AWS IAM Identity Center is the recommended method of providing AWS credentials when developing on a non-AWS compute service. For example, this would be something like your local development environment. If you are developing on an AWS resource, such as Amazon Elastic Compute Cloud (Amazon EC2) or AWS Cloud9, we recommend getting credentials from that service. The links below has more information.
Reference:
[+] Getting started with AWS CloudShell - https://docs.aws.amazon.com/cloudshell/latest/userguide/getting-started
[+] IAM Roles Anywhere Blogs - https://aws.amazon.com/blogs/security/tag/iam-roles-anywhere
[+] YT Video | AWS IAM Roles Anywhere Full Tutorial - https://youtu.be/n4UZZsTIlVA
[+] YT Video | AWS IAM Roles Anywhere with OpenSSL - https://youtu.be/aIX9by2uEgU
[+] IAM Identity Center authentication - https://docs.aws.amazon.com/sdkref/latest/guide/access-sso.html
[+] Configure the AWS CLI to use AWS IAM Identity Center - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
[+] Authenticate with short-term credentials - https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-short-term.html
- STATIC AWS CREDENTIALS: If you MUST use static credentials, please ensure you do not to define them in your code (especially in plaintext), or commit them to a git repository. Do regular key rotation.
Reference:
[+] How to Rotate Access Keys for IAM Users - https://aws.amazon.com/blogs/security/how-to-rotate-access-keys-for-iam-users/
[+] Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager - https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-rotate-iam-user-access-keys-at-scale-with-aws-organizations-and-aws-secrets-manager.html
These are some of the ways to protect your account. I believe many of other users or customers do this differently... If you have other options, please feel free to share in the comment.
Until next time... Cheers!
Top comments (0)