堆栈内存溢出
  简体   繁体   English

被黑的 AWS 账户 - 我如何访问/删除他们创建的关联账户?

[英]Hacked AWS account - how do I access/delete linked accounts that they have created?

 原文  2022-01-31 04:13:50       amazon-web-services/ amazon-ec2

问题描述

Our AWS account has been hacked due to someone wrongly supplying an Administrator level access key.由于有人错误地提供了管理员级别的访问密钥,我们的 AWS 账户被黑了。

We didn't have an Organisation set up, but the attackers created one.我们没有设置组织,但攻击者创建了一个。 They have then created linked accounts within the organisation and created EC2 instances within them.然后,他们在组织内创建了关联账户并在其中创建了 EC2 实例。

The problem I have is that I can't see any way to:我遇到的问题是我看不到任何方法:

  1. Delete the linked accounts (it says I need to add a payment method to the linked account)删除关联的帐户(它说我需要向关联的帐户添加付款方式)
  2. View or terminate the EC2 instances on the other accounts查看或终止其他账户上的 EC2 实例

Can someone please tell me if it's possible to use my root login to access the EC2 instances on the linked accounts?有人可以告诉我是否可以使用我的 root 登录来访问关联账户上的 EC2 实例? This is costing us a lot of money in the last few hours unfortunately.不幸的是,这在过去的几个小时里让我们付出了很多钱。 I have a support case with AWS but they have mentioned that it could take 2-3 business days...我有一个 AWS 支持案例,但他们提到这可能需要 2-3 个工作日......

I have disabled users via IAM and made keys inactive.我通过 IAM 禁用了用户并使密钥处于非活动状态。

Thank you in advance.先感谢您。

2 个解决方案

解决方案1
 0  2022-01-31 09:05:44

When you create a AWS account in an Organization you set up a roles that the organization account can use to assume access into that account.当您在组织中创建 AWS 账户时,您会设置一个角色,组织账户可以使用该角色来承担对该账户的访问权限。 If you can see what role is used for these accounts use that role and and assume access into it and take down what you need.如果您可以看到这些帐户使用的角色,请使用该角色并假设访问它并删除您需要的内容。

To get the concept of it better you can try to create your own account with organization and assume that role.为了更好地了解它的概念,您可以尝试在组织中创建自己的帐户并承担该角色。

This should work as long as the hacker haven't done anything to the role.只要黑客没有对该角色做任何事情,这应该可以工作。

Here is docs on how to do this: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html以下是有关如何执行此操作的文档: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html

解决方案2
 0  2022-02-01 09:51:02

Based on the comments.根据评论。

Since the OP already contacted the support, the one thing to do was to access the compromised accounts from the master account and disable the instances.由于 OP 已经联系了支持人员,要做的一件事是从主帐户访问受感染的帐户并禁用实例。 The procedure to do it is explained in the AWS docs: AWS 文档中解释了执行此操作的过程:

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 是否可以从 AWS 的根账户访问关联账户的实例 - Is it possible to access Linked accounts' instances from root account in AWS 如何使用顶级账户中的 AWS Single Sign On 配置来自不同账户的多个 AWS Connect 实例? - How do I configure multiple AWS Connect instances from different accounts with AWS Single Sign On in a top level account? AWS 根账户无法访问组织账户 - AWS root account cannot access organizational accounts 如何使用 AWS CLI 仅列出 AWS 组织下的帐号和账户名称 - How do you list only accounts numbers and account names under an AWS organization using AWS CLI 如何通过 AWS Organizations 创建的根账户进行新访问? - How to access newly, via AWS Organizations created root account? AWS无法删除组织创建的帐户中的角色 - Aws unable to delete role in a organization created account 如何将驻留在账户 A 中的 s3 存储桶的访问权限授予来自多个 aws 账户的不同 iam 用户? - How to give access of s3 bucket residing in Account A to different iam users from multiple aws accounts? 尝试删除用户时,我的 AWS Educate 账户收到“您没有执行此操作所需的权限”? - When trying to delete a user I'm getting "You do not have the permission required to perform this operation" on my AWS Educate Account? 使用 Direct Connect 对 AWS 账户进行跨账户访问 - Cross account access for AWS accounts using Direct Connect 使用假定规则在3个AWS账户之间进行跨账户访问 - cross-account-access between 3 AWS accounts using assumeRule
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM