Top cloud providers go to great lengths to protect customer privacy and prevent unauthorized users from gaining access to restricted accounts using real-time monitoring and end-to-end encryption.
However, hackers can breach the public cloud, and accidents can and will happen.
Cloud accounts are hacked through errors such as credential leaks or compromised end-user machines and compute instances — giving bad actors unchecked access to sensitive data and potentially even administrative controls.
As such, companies must have procedures in place to ensure they can rapidly detect breaches and immediately respond to them when they occur.
If the security team observes unauthorized activity within its cloud account — or someone on the team believes that an unauthorized party has accessed to an account — here’s what the team needs to do:
Step 1: Reduce impact on accounts.
When a breach occurs, perform damage control on all of the company’s cloud accounts. Here’s what to do:
- Change the root user password.
First things first: Change the cloud account root user password. This will make it harder for the intruder to access the system. If nobody on the team has the cloud root user password handy, check at the workaround from the cloud provider. Here’s a link to one from Amazon.
- Rotate the root and IAM access keys.
Next, rotate and delete all of root and cloud identity and access management (IAM) access keys. As a security best practice, most cloud providers change access keys on a regular schedule to shorten the period that the access key is active. This reduces the business impact, and overall blast radius in the event one becomes compromised.
- Deprovision user access.
It’s also important to delete any potentially unauthorized IAM users. Once that’s done, change the password for every other IAM user. This way, the team can zero- in on any potential users who may have accessed the system.
Hacked or not, periodically review user access to ensure only authorized users can access corporate systems. Companies tend to run into trouble when they lose track of exactly who and what users can access their tools, databases, and applications.
Delete any resources on the cloud account that the team didn't create. This would include Amazon Elastic Compute Cloud (EC2) instances, Amazon Machine Images (AMIs), Amazon Elastic Block Store (EBS) volumes and snapshots, as well as IAM users.
Just make sure team members know what they are deleting when taking this step. That way, the team can ensure it doesn’t accidentally erase any critical services.
At this point, it’s also a good idea to respond to any notifications that team may have received from Cloud Support through the Cloud Support Center.
Step 2: Reduce the impact on users.
In addition to taking steps to protect corporate cloud accounts, the team also needs to protect user accounts. Start by changing the passwords of any IAM users on the network. Here’s what to do:
- Delete any IAM users that the team didn't create.
It’s always a good idea to keep an inventory with a running list anyways, but that’s especially helpful during this process — and even more so if the team has to manage multiple accounts. It also makes sense to delete any potentially unauthorized IAM users with access to company systems
Step 3: Reduce the impact on access keys.
Finally reduce any potential damage to your access keys. Follow these two steps:
- Update access keys.
Here, it’s a good idea to rotate and delete all cloud access keys. If team members find cloud access keys that they no longer need or didn't create, delete them. And if an application currently uses an access key, replace it with a new one.
- Confirm all resources.
Next, sign in to the cloud account and check to make sure that all the resources are ones that the team has launched — as opposed to a bad actor. Also, check all cloud regions, and specifically regions where team members have never launched cloud resources.
Final Tip: Find help to automate cloud security monitoring.
Monitoring, detecting, and responding to a cloud hack effectively has become a tall order. But security teams don’t have to do it on their own.
Scanning for evidence of unauthorized usage, access, and drift will free the team to focus their efforts on remediation instead of spending their time monitoring backend systems for signs of unwanted activity.
Cloud drift, in particular, has become a leading cause of data breaches — especially in the healthcare sector. This issue tends to happen when account changes occur after provisioning, causing the environment to “drift” from its original state. This often occurs because of resource changes, employee mistakes, and non-human errors. Taking a proactive stance to cloud security can help mitigate these risks.
Eric Kedrosky, chief information security officer, Sonrai Security
