Dear AWS Customer,
We are following up with you as your AWS Account may still be compromised. Please review this notice as well as the previous notice we sent and take immediate action to secure and restore your account.
If you do not stop the unauthorized usage and contact AWS within five (5) days, your account will be suspended in order to protect you from unauthorized usage and charges. To further protect your account from excessive charges, we will terminate any suspected unauthorized resources on your account. Please note that some resources may not be recoverable once terminated.
PLEASE FOLLOW THE INSTRUCTIONS BELOW TO SECURE AND RESTORE YOUR ACCOUNT:
Step 1: Change your AWS root account password Visit the account password change guide here. As a further precaution, we recommend changing your email password and passwords for other websites to help protect your AWS account from being at risk. We also recommend enabling multi-factor authentication (MFA) on your AWS account for increased security. You can find more information here.
Step 2: Check your CloudTrail log for unsanctioned activity Check your account for any unsanctioned activity such as creation of unauthorized IAM users and/or associated passwords (login profile), access keys, policies, roles or temporary security credentials by checking your CloudTrail log, and immediately delete them.
To delete unauthorized IAM users, go here. To delete unauthorized policies, go here. To delete unauthorized roles, go here.
You can revoke temporary credentials by following the instructions here. Temporary credentials can also be revoked by deleting the IAM User, however they cannot be revoked if obtained via the root user. For more information, please go here.
NOTE: Deleting IAM users may impact production workloads and should be done carefully.
Step 3: Review your AWS account for any unauthorized AWS usage Check your account for any unauthorized usage such as EC2 instances, Lambda functions or EC2 Spot bids by logging into your AWS Management Console and reviewing each service page. You can also do this by checking the Bills page in the Billing console by going here. Please keep in mind that unauthorized usage can occur in any region and that your console displays only one region at a time. To switch regions, use the drop-down menu in the top-right corner of the console.
Step 4: [IMPORTANT] You must respond to the existing Support Case or create a new one to confirm completion of the steps above in order to restore access to your account and apply for a billing adjustment, if applicable.
Please visit the Support Center through your account and reach out to Customer Service through an existing Support Case or by creating a new one to confirm completion of steps 1-3 or to get help completing the steps in order to secure and restore your account. Once your account is secure, you may work with Customer Service for a billing adjustment for any unauthorized charges, if applicable. If you cannot find an existing Support Case, please create a new one by going here.
Thank you for your immediate attention to this matter.
Sincerely, Amazon Web Services