Known Issue - Compromised Account


Change your AWS root account password and the passwords of any IAM users

For information about changing your root AWS password, see Changing the AWS Account Root User Password. For information about changing the password of an IAM user, see Managing Passwords for IAM Users.

It’s a best practice to change your passwords on a regular basis to avoid unauthorized use of your account. For information about AWS security best practices, see the AWS Security Best Practices whitepaper.

Delete or rotate any potentially compromised AWS access keys

If you find AWS access keys that you no longer need or didn’t create, delete them. For more information about deleting access keys, see How do I delete an AWS access key?

If your application currently uses an exposed access key, replace the exposed key with a new one. To do this, create a second key and modify your application to use the new key, and then disable (but do not delete) the first key. If there are any problems with your application, reactivate the key temporarily. When your application is fully functional and the first key is in the disabled state, delete the first key.

Treat AWS access keys the same way you would treat an account password—don’t provide access keys to anyone you don’t know and trust, don’t publish access keys to public websites or code repositories, and consider best practices when using or managing AWS access keys. For AWS security best practices, see the AWS Security Best Practices whitepaper.


 Delete any unrecognized or unauthorized resources

Sign in to your AWS account and check that all resources currently running on your account are resources that you launched. Make sure to check all AWS Regions, even regions in which you’ve never launched AWS resources. Pay special attention to running EC2 instances, EC2 spot bids, or IAM users. If you’re not sure how to delete a resource associated with a particular AWS service, see the AWS Documentation related to that service.

Contact AWS Support

If you received correspondence from AWS about potential issues with your account, sign in to the AWS Support Center and respond to the notification with any information AWS Support requested from you.

If you can't sign in to your account, use the Contact Us form to request help from AWS Support.

If you have any additional questions or concerns, but didn’t receive a notification, create a new AWS support case in the AWS Support Center.

Note: Do not include potentially sensitive information in your correspondence, including full AWS access keys, passwords, or credit card information.

Use AWS Git projects to scan for evidence of compromise

AWS offers Git projects you can install that can help you protect your account:

  • Git Secrets can scan merges, commits, and commit messages for secret information (e.g. access keys). If it detects prohibited regular expressions, it can reject those commits from being posted to public repositories.
  • The AWS Health and AWS Trusted Advisor Exposed Keys CloudWatch Event Monitor can help you use AWS Step Functions and AWS Lambda to generate Amazon CloudWatch Events from AWS Health or by Trusted Advisor. If there is evidence that your access keys have been compromised, the projects can help you automatically detect, log, and mitigate the event.


If you continue to experience difficulties, please open a case with the DLT Opscenter using the following contact information:


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk