Account compromise incident response in AWS
In case of account compromise, the suggested actions to take are:
- Change the root password and delete root access keys if you haven’t done that before.
- Add MFA to the root account if you haven’t done that before.
- Change all user account passwords ( I strongly doubt about this one but the documentation says so, for certification exam purposes consider this one true)
- Delete or rotate potentially compromised account access keys.
- Delete unrecognized/unauthorized instances and IAM users through the help of AWS Config and CloudTrail.
No comments:
Post a Comment