Amazon account abuse: Emergency script

Last night, I published an IAM key to Github by mistake. Shit happens… Two minutes later, the key was hijacked and my account was abused. I didn’t realize this until this morning, and it took me multiple hours to understand what I had to do, and where, given the fact AWS is new for me. It’s important to know that AMAZON will NOT clean up the mess for you, whatever your situation is. You then have to go through each region, and terminate all instances, delete all volumes and VPCs…

So, if this is happening to you, here is an emergency script you may run to terminate all instances on your account.

DISCLAIMER: THIS CALL TERMINATES (Deletes) ALL INSTANCES ON YOUR ACCOUNT, IN ALL REGION. THIS IS ONLY MENT FOR PEOPLE USING THEIR AWS ACCOUNT FOR LABS AND LEARNING. IF YOU HAVE PRODUCTION ON YOUR ACCOUNT, DO NOT USE THIS SCRIPT !

#!/usr/bin/env bash

for region in `aws ec2 describe-regions --output text | cut -f3`
do
  for instance in `cat $region.txt`
  	  do aws ec2 modify-instance-attribute \
   	    --region $region \
      --instance-id $instance \
   	    --no-disable-api-termination;
              aws ec2 terminate-instances --region $region --instance-ids $instance;
          done
done

This script will loop through all instances in all regions on your account, disable the Termination protection (which is preventing you to terminate the instances… smart from the abusers) and then terminate each instance.

When this is done, you still have to delete all the DHCP options, VPCs and volumes if any are left.

To delete all the volumes you can run this script:

#!/usr/bin/env bash

for region in `aws ec2 describe-regions --output text | cut -f3`
do
  for vol in `aws ec2 describe-volumes \
 	  --region $region \
 	  | grep "vol-" | cut -d\" -f 4`;
   	  do 
                aws ec2 delete-volume --region $region --volume-id $vol
		echo $region $vol deleted
          done
done

It will do the same as above, but on volumes instead of instances.

I was not able to script the deletion of VPCs because of dependencies I could not identify. There were in my case one VPC per region. So this is not too cumbersome to handle. The worst was the instances… hundreds of them. Very costly mistake (we takes about thousands of dollars if Amazon decides I have to pay for the mistake).

Hope this does not happen to you.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.