Ask HN: Our AWS account got compromised after their outage
Could there be any link between the two events?
Here is what happened:
Some 600 instances were spawned within 3 hours before AWS flagged it off and sent us a health event. There were numerous domains verified and we could see SES quota increase request was made.
We are still investigating the vulnerability at our end. our initial suspect list has 2 suspects. api key or console access where MFA wasn’t enabled.
33 comments
[ 2.7 ms ] story [ 62.6 ms ] threadClient was a small org, and two very old IAM accounts had suddenly had recent (yesterday) console log ins and password changes.
I'm investigating the extent of the compromise, but so far it seems all they did was open a ticket to turn on SES production access and increase the daily email limit to 50k.
These were basically dormant IAM users from more than 5 years ago, and it's certainly odd timing that they'd suddenly pop on this particular day.
If you haven't check newly made Roles as well. We quashed the compromised users pretty quickly (including my own, the origin we figured out), but got a little lucky because I just started cruising the Roles and killing anything less than a month old or with admin access.
To play devil's advocate a bit. In our case we are pretty sure my key actually did get compromised although we aren't precisely sure how (probably a combination of me being dumb and my org being dumb and some guy putting two and two together). But we did trace the initial users being created to nearly a month prior to the actual SES request. It is entirely possible whomever did your thing had you compromised for a bit, and then once AWS went down they decided that was the perfect time to attack, when you might not notice just-another-AWS-thing happening.
(The particulars of your case being strange is a separate question though.)
Certainly feels like an strategy I'd explore if I was on that side of the aisle.
If my company used AWS I would be hyper aware about anything that it’s doing right now
Do not discount the possibility of regular malware.
While this could possibly be related to the downtime, I think this is probably an unfortunate case of coincidence.
Total password reset and tell your AWS representative. They usually let it slide on good faith.
Why don't cloud providers offer IP restrictions?
I can only access GitHub from my corporate account if I am in the VPN and it should be like that for every of those services with the capability to destroy lives.