'Hacked AWS account - how do I access/delete linked accounts that they have created?
Our AWS account has been hacked due to someone wrongly supplying an Administrator level access key.
We didn't have an Organisation set up, but the attackers created one. They have then created linked accounts within the organisation and created EC2 instances within them.
The problem I have is that I can't see any way to:
- Delete the linked accounts (it says I need to add a payment method to the linked account)
- View or terminate the EC2 instances on the other accounts
Can someone please tell me if it's possible to use my root login to access the EC2 instances on the linked accounts? This is costing us a lot of money in the last few hours unfortunately. I have a support case with AWS but they have mentioned that it could take 2-3 business days...
I have disabled users via IAM and made keys inactive.
Thank you in advance.
amazon-web-services
amazon-ec2Solution 1:[1]
When you create a AWS account in an Organization you set up a roles that the organization account can use to assume access into that account. If you can see what role is used for these accounts use that role and and assume access into it and take down what you need.
To get the concept of it better you can try to create your own account with organization and assume that role.
This should work as long as the hacker haven't done anything to the role.
Here is docs on how to do this: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Erik Asplund |