You set up various AWS resources in your AWS account, including EC2, RDS MySQL, DynamoDB, etc.
Your billing alarm has been triggered and the AWS cost is increasing abnormally.
You also get a notification from AWS that your AWS account may be compromised.
As an AWS administrator, you need to take action immediately.
Which of the following actions are appropriate? (Select Three.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer - A, C, and D.
Option A is CORRECT because the AWS root account has complete access to AWS resources, services, and billing.
Changing your AWS account root user password is necessary to protect your AWS account from being compromised.
Option B is incorrect because it is not suitable to delete all resources at this stage.
Instead, you should delete any resources on your account you didn't create, such as EC2, EBS, IAM resources, etc.
Option C is CORRECT because, with AWS access keys, anyone can have access to your AWS resources using AWS CLI and can compromise your account.
Rotating the used IAM access keys is considered the best practice from AWS.
Option D is CORRECT because you should sign in to the AWS Support Center, check the notification detail, and respond to it.
Option E is incorrect because protecting from DDoS attacks is not urgent when the AWS account is compromised.
The account may be compromised by many other services such as IAM and S3 and not just by EC2 instances.
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/.Based on the scenario, it appears that the AWS account may have been compromised and the AWS cost is increasing abnormally. In such situations, it is crucial to take immediate action to prevent further damage.
The appropriate actions to take in this scenario are as follows:
A. Change your AWS account root user password: The root user is the highest level of privilege in an AWS account, and changing the password will prevent unauthorized access to the account. It is recommended to use a strong password and enable multi-factor authentication (MFA) for added security.
C. Rotate and delete root and all IAM access keys: Access keys are used for programmatic access to AWS resources and can be used to gain unauthorized access. Rotating the access keys will invalidate the old keys and ensure that only authorized users have access. Deleting the old keys will ensure that they cannot be used in the future.
D. Respond to any notifications you received from AWS Support: AWS may have detected suspicious activity on the account and sent notifications. It is important to review these notifications and take appropriate action as directed by AWS.
Deleting all AWS EC2 resources (B) is not an appropriate action because it may result in data loss and disrupt business operations. It is important to investigate the resources and determine which ones may have been compromised before taking any action.
Enabling AWS Shield Advanced (E) is a good security measure but is not directly related to the scenario. AWS Shield is a service that provides protection against Distributed Denial of Service (DDoS) attacks, and can be enabled to protect EC2 resources from such attacks.
In summary, in the event of a compromised AWS account and abnormal cost increase, changing the AWS account root user password, rotating and deleting all access keys, and responding to notifications from AWS Support are appropriate actions to take.