←back to thread

Ask HN: Our AWS account got compromised after their outage

391 points kinj28 | 1 comments | 21 Oct 25 15:55 UTC | HN request time: 0.001s | source

Could there be any link between the two events?

Here is what happened:

Some 600 instances were spawned within 3 hours before AWS flagged it off and sent us a health event. There were numerous domains verified and we could see SES quota increase request was made.

We are still investigating the vulnerability at our end. our initial suspect list has 2 suspects. api key or console access where MFA wasn’t enabled.

Show context
timdev2 ◴[21 Oct 25 17:03 UTC] No.45658257[source]
I would normally say that "That must be a coincidence", but I had a client account compromise as well. And it was very strange:

Client was a small org, and two very old IAM accounts had suddenly had recent (yesterday) console log ins and password changes.

I'm investigating the extent of the compromise, but so far it seems all they did was open a ticket to turn on SES production access and increase the daily email limit to 50k.

These were basically dormant IAM users from more than 5 years ago, and it's certainly odd timing that they'd suddenly pop on this particular day.

replies(3): >>45659427 #>>45663754 #>>45672001 #
tcdent ◴[21 Oct 25 18:13 UTC] No.45659427[source]
Smells like a phishing attack to me.

Receive an email that says AWS is experiencing an outage. Log into your console to view the status, authenticate through a malicious wrapper, and compromise your account security.

replies(4): >>45659478 #>>45659699 #>>45664258 #>>45665835 #
SoftTalker ◴[21 Oct 25 18:16 UTC] No.45659478[source]
Good point. Phishers would certainly take advantage of a widely reported outage to send emails related to "recovering your services."

Even cautious people are more vulnerable to phishing when the message aligns with their expectations and they are under pressure because services are down.

Always, always log in through bookmarked links or typing them manually. Never use a link in an email unless it's in direct response to something you initiated and even then examine it carefully.

replies(4): >>45662463 #>>45663256 #>>45663324 #>>45668083 #
roblabla ◴[21 Oct 25 22:21 UTC] No.45662463[source]
You can also use phishing-resistant login/2FA like passkeys/FIDO keys, where it is available (and I'm pretty sure amazon supports it), to minimize the risk of accidentally login into a phishing website while under pressure.
replies(2): >>45662936 #>>45662955 #
akerl_ ◴[21 Oct 25 23:12 UTC] No.45662955[source]
If my memory is correct, AWS supports FIDO for web login but not for the API, so you either have to restrict access to FIDO and then use the web UI for everything done as that user, or have a separate non-FIDO MFA device (without FIDO's phishing resistance) for terminal/API interactions.
replies(1): >>45664405 #
jorvi ◴[22 Oct 25 02:50 UTC] No.45664405[source]
You can generate temporary AWS keys for privileged users: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

Of course, as always, PEBKAC. You will have to strictly follow protocol, and not every team is willing to jump through annoying hoops every day.

replies(1): >>45664554 #
akerl_ ◴[22 Oct 25 03:14 UTC] No.45664554[source]
Can you actually generate temporary AWS STS credentials via FIDO MFA?

Again, last I looked, FIDO MFA credentials cannot be used for API calls, which you'd need to make for STS credential generation.

replies(1): >>45664672 #
jorvi ◴[22 Oct 25 03:35 UTC] No.45664672[source]
You don't put the temporary credentials behind FIDO because they're temporary anyway. You put FIDO on the main account that has the privilege to generate the temporary credentials.

So in the off chance that you get a phishing mail, you generate temporary credentials to take whatever actions it wants, attempt to log in with those credentials, get phished, but they only have access to API for 900s (or whatever you put as the timeout, 900s is just the minimum).

900s won't stop them from running amok, but it caps the amok at 900s.

replies(1): >>45664743 #
akerl_ ◴[22 Oct 25 03:53 UTC] No.45664743[source]
You aren't grokking what I'm saying. AWS does not allow FIDO2 as an MFA method for API calls.

So if your MFA device for your main account is a FIDO2 device, you either:

1. Don't require MFA to generate temporary credentials. Congrats, your MFA is now basically theater.

2. Do require MFA to generate temporary credentials. Congrats, the only way to generate temporary credentials is to instead use a non-FIDO MFA device on the main account.

Nobody is getting a phishing email, going to the terminal, generating STS credentials, and then feeding those into the phish. The phish is punting them to a fake AWS webpage. Temporary credentials are a mitigation for session token theft, not for phishing.

replies(1): >>45665657 #
computerfriend ◴[22 Oct 25 06:48 UTC] No.45665657[source]
I think you're not grokking it.

Require FIDO2-based MFA to log into AWS via Identity Center, then run aws sso login to generate temporary credentials which will be granted only if the user can pass the FIDO2 challenge.

The literal API calls aren't requesting a FIDO2 challenge each time, just like the console doesn't require it for every action. It's session based.

replies(1): >>45667673 #
akerl_ ◴[22 Oct 25 11:49 UTC] No.45667673[source]
I definitely wasn’t grokking that, because the prior commenter never mentioned AWS Identity Center, and instead linked to STS, which works how I described (you can’t use FIDO MFA for the authentication of the call that gives you your short-lived session creds).

I’m excited to see that Identity Center supports FIDO2 for this use case.

replies(1): >>45670007 #
1. jorvi ◴[22 Oct 25 14:51 UTC] No.45670007[source]
You weren't grokking it because I was hasty (and tired) and provided the wrong link. My bad!