Which team should you reach out to if you believe your AWS account has been compromised?

Starting on Dec 13th, I received an email that my account could be compromised and I confirmed it was hacked. I created this account for educational purposes but never used it at all. Now, I can see charges for over 7.5k and my support ticket (xxxxxxxxxx) has been unassigned for more than 24 hours, even when the bill continue increasing. I have no payment methods configured, so I don´t know why you permitted this to happen. I don´t know how to stop it or anything. I need assistance ASAP.

Please, let me know how much time is required to get someone assigned when a ticket is tagged as "Urgent business impacting question". According to the chat session I had yesterday, the AWS security team should be reviewing the issue.

Thanks in advance,


Edit: Removed case ID — Chrissy B.

If you’re going to protect yourself from getting hacked, it helps to understand how you get hacked in the first place.  Here are 3 attack vectors for your AWS account, and some best practices to lock them down.

#1: Leaked AWS Credentials

Obviously, if you share your credentials publicly, bad people can do bad things with them.  And you wouldn’t do that, right? But mistakes happen, more often than you might think. This particular attack vector most commonly arises from access keys getting committed to public source code repositories.  Typically, the committer thought the repository was private.


Never check access keys, passwords, or other secrets into source control.  It doesn’t matter that the repo is private. Manage them in a secret store that can be accessed at runtime (sometimes at deploy time) such as AWS Secrets Manager, Systems Manager Parameter Store, or Hashicorp Vault.


All of the AWS compute services allow you to specify an IAM Role for their compute instances (EC2 instances, ECS tasks, EKS pods, or Lambda functions) to run as. When you use IAM Roles, the access keys are automatically provided to the process – you don’t have to handle them at all.

#2: Compromised Laptop (Or Desktop)

When bad people steal access to your computer, they have access to do all kinds of things.  At the very least, they can easily discover any AWS access keys you’ve stored in the AWS credentials file.  They may also be able to log key presses, including the password you enter into the AWS console. You don’t want that.


You’ve heard it 1000 times before, but you should be using multi-factor authentication when accessing your production AWS account.  This is commonly used to control access to the AWS console, but you should also use it at the command line, and for any programmatic access that originates from your machine.  Unfortunately, AWS command line access with MFA enabled is pretty cumbersome.  Take a look at aws-vault for a nice way to simplify it.

#3: Compromised Compute Instance

As mentioned above, compute instances (EC2, ECS, EKS, and Lambda) in AWS can optionally run as an IAM Role, which implicitly grants the software on those instances the ability to access other resources in your AWS account.  The scope of access depends on the policies applied to the IAM Role.

Under the covers, this works by making access keys available within the environment of the compute instance.  For Lambda, they’re in the standard AWS environment variables, while for other types of compute they’re available as metadata that can be queried over HTTP from the box.

If an attacker compromises your compute instance.  They can get these keys. And if the associated IAM Role is granted permission to do nefarious things, the attacker can do those nefarious things.  That’s not a good thing.


Whether it’s a Lambda script, a docker container in ECS/EKS, or a full operating system running on an EC2 instance, you need to make sure you’re up to date on your security patches.  Not staying current on fixes to well-publicized security vulnerabilities is just asking for trouble.


You’ve undoubtedly heard this 1000 times as well.  Don’t grant your IAM Roles more permissions than they absolutely need for the software running on the instance.

About Arpio

Arpio is comprehensive disaster recovery for AWS so that you don’t have to build it yourself.  If your AWS account ever gets hacked, and the attacker decides to ransomware or delete your data (including your backups), Arpio makes it easy to recover.

Learn more at www.arpio.io.

My AWS account was hacked in Jan18 - 14K. AWS posted charged to my AMEX and later agreed to refund. We deleted the access keys, terminated all 50 EC2 instances from every one of their zones... and guess what... the account was breached again in March - now for 28K! We asked for a refund and went again following all their recommendations (password change, deleting keys, deleting EC2 instances etc) and while we were waiting for the billing team to resolve this matter - which took over 6 weeks and 7 different people to talk with - the account was breached again for 14K. And then, the icing on the cake - AWS says 6 weeks later that they will not refund us. Their "customer service" is so terrible, their decision insulting and the experience could not be any worse.

Every time we cleaned the account - deleting unauthorized instanced, changing passwords etc, we would receive an e-mail confirmation that "We reviewed your account and determined that you have performed all necessary security steps. We have reinstated your access, and your account should now be active." and a short few weeks later we then received this msg "After a routine review of your account, we believe that someone obtained your personal account and/or financial information elsewhere and used it to access your Amazon Web Services account." - this repeated twice.

We've had our account w AWS for several years at a monthly use of $25 !!! Why would they not stop unauthorized use themselves when they see the charge quadrupled to $100???? Why would they not implement the basic practice all credit card companies have used for years to prevent fraud, not authorizing transactions that seem strange given the user profile/history? It is incomprehensible to me.

If any of you can advise us what to do next - that would be great. I had to close the account as I am afraid of the next hack! Just absolutely terrible experience and I am stuck with a 41K bill!

What should you do if you believe your AWS account has been compromised?

Rotate and delete exposed account access keys.
Create a new AWS access key..
Modify your application to use the new access key..
Deactivate the original access key. ... .
Verify that there aren't any issues with your application..

How do I report AWS issues?

AWS Abuse: If you suspect that AWS resources (such as an EC2 instance or S3 bucket) are being used for suspicious activity, you can report it to the AWS Abuse Team using the Report Amazon AWS abuse form, or by contacting [email protected].

How did my AWS account get hacked?

Most likely scenario is hackers are trying leaked username/password pairs from other breaches against AWS and gaining access to those accounts. PSA set up MFA on your account if you haven't already.

How can you protect your AWS account against unauthorized access?

Short description.
Safeguard your passwords and access keys..
Activate multi-factor authentication (MFA) on the AWS account root user and any users with interactive access to AWS Identity and Access Management (IAM).
Limit AWS account root user access to your resources..
Audit IAM users and their policies frequently..