All,
I wanted to reach out to the community for some feedback and share my experience on AWS. Recently, I discovered that my AWS Free Tier learning account was compromised. Received an email that there was suspicious activity on my account, which I hadn't utilized in several months. After observing a second and third similar email, rather than click on any links, I wanted to ensure the emails were legit and logged into my account. Little to my surprise, did I see that not only were there some new users created, but someone created over 2,533 Endpoints across every single regional zone they offer (26 geographical regions across six continents). There was a variety of servers and instances setup which as far as I could tell was simply performing some API calls across the asian pacific and into the 'Stans.
Long story short, I was billed a miniscule $491,233 over the 4th of July weekend. Fucking chump change, right? Pretty certain I had a couple heart attacks. If I didn't have kids, I'd probably have spread my brains on my favorite wall - I'm fond of the southern facing wall with the fireplace in my great room. Some tissue might add a nice touch...
I'll say of AWS Support; It is absolutely horrible. They claim due to security reasons, they do not have a phone number to reach out to any departments and you need to open a Case with them and request a callback. Imagine attempting to do this on a holiday weekend in the states. 3 Customer Support reps have reached out to me on ways I can secure my account. None of them have last names or contact numbers and they refuse to call any number I provide. Instead of offering actual support, they list the many ways to remove the data created by the attacker. At this point, I can then request that they stop the bleeding from the account accruing charges.
Luckily, I've been able to locate and restrict the attacker's access to the AWS account to the best of my ability, removing credentials and their scripts that were placed into the account. Now, I have to put on some tunes and delete, one at a time, the 2,533 Endpoints which made over 1 million API calls in just 5 days since the account appeared to have been breached.
My wife found a lot of people in similar situations of their accounts being compromised and none seem to end well. Anyway, passing along my horror story and just know that multi-factor authentication and complex passwords (random generated ones of 32 characters or more) using AWS isn't enough. Lock your shit down with certs and rotate your creds frequently... or better yet, stay the hell away from AWS. Then again, if my account was compromised due to a security exploit on the AWS-side, there will be blood. I mean, a series of strongly-worded letters from lawyers.
If anyone has some advice in working with AWS or getting thru to a live person or suggestions on any specific lawyers or government offices I should contact I'm all ears.... I've reached out to the Ohio Attorney General's Office, the FBI and IC3 to file complaints and began a BBB filing against AWS.
Best,
Izumi
