What To Do When Your AWS Account Is Hacked?
In This Article, We Are Going To Cover What To Do When Your AWS Account Is Hacked? What To Do When Someone Changes Your AWS Account Root Email?
The first step is to not get panic and follow the protocols. As neither your worry nor your panic going to bring your account back. So first step is to calm down and follow the steps mentioned below. Don’t worry about billing once you report the incident to AWS they will help to adjust those unauthorized charges.
Also, don’t get surprised that your account has been hacked. Our account was hacked from another country and Amazon did not stop them based on geolocation as Google does. The account was hacked during USA nighttime. Meaning if the owner who is from the USA got an email, could not act or respond. So don’t ever be under the impression that certain services or certain accounts cant be hacked.
And remember no one..yes on one is going to help except AWS. Only AWS can help you and hence no need to contact any other person or company. Also, don’t go for any 3rd party services that promise to get back to your account.
Please note that this article is not about what to do to avoid hacking. This article is more about what you have to do when it happens? And Yes it does happen – It happened to us and it happened to others as well. So I am describing the steps that we took.
Steps That We Took
- Contacted AWS : Conacted AWS using another account – so we have used another AWS account – you can use your colugue account or your friends account or your own but a different account. In that ticket we clearly mentioned that our AWS account has been compromised. Did mention our Account Number, Email Address associated with AWS. Also when email address of your root account gets changed you wold get an email notification from AWS. We even sent a screen shot of that as well. This way we made sure that we let AWS know that our account has been hacked. And requested them to please help us to recover at earliest.
We also filled this form – And again we mentioned that our account has been compromised.
- After some time – We started live chat with them using the same AWS ticket acocunt. In Live chat we explained the whole situation. And asked them to expedite the process of recovery and also expressed our concerns about unauthorized charges.
- We waited for them to respond – and madd sure all communications from Amazon Support are replied in proper timely manner. As AWS does take time to verify your account to make sure what you have reported is true.
- Next AWS is going to call and you verify all the details. It might take 24 hours for them to veify everything and if everything goes well – your account will be reactivated. And what do next is something that we all know. Important take away from this incedents are.
– Keep patience – It’s tought but always keep patience as such situations are going to test your patience.
– Always keep a back of all your resrouces – May be use services like cloud formation to have all your resources in exported format – so that you can use that either
– We had EC2, RDS instances in our account. We immdiately taken a backup by downloading them and setting up local copy up to date.
– There is no contact number to conatct AWS – so please dont try that.
– Remember you are the AWS account owner and ONLY you and AWS can resolve this issue.
– Please do change your passwords for Amazon.com as well.
– Make sure you secure devices as well.
– Make sure you changes all possible password- like your email passwords and other important passwords.
Below are some FAQ that will help you to act quickly
All you need is to be calm and start contacting support. Please use the instructions mentioned in the above articles to recover your AWS account
No AWS does not have any contact number and you have to communicate via ticket and email.
No really, If you report them in a timely manner and inform them then they do understand and take care of such charges.
It will take around 24 to 48 hours to recover your account – but it also depends on the verification process and communication that happens between you and Amazon
You have to make sure you follow the standard security practices like MFA, Disable Root account, and other practices suggested by Amazon.