I am getting amazon abuse report about my ec2 instance. how to resolve this?

Question

I am getting amazon abuse report regarding my ec2 instance.

Your Amazon EC2 Abuse Report :

has been implicated in activity which resembles attempts to access remote hosts on the internet without authorization. Activity of this nature is forbidden in the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We've included the original report below for your review.

Please take action to stop the reported activity and reply directly to this email with details of the corrective actions you have taken. If you do not consider the activity described in these reports to be abusive, please reply to this email with details of your use case.

If you're unaware of this activity, it's possible that your environment has been compromised by an external attacker, or a vulnerability is allowing your machine to be used in a way that it was not intended.

How to resolve this?

Answer 1

I would suggest you Stop the instance. If you didn't create the instance, then Terminate it.

The main questions to answer are:

• Is there something strange going on?
• Did somebody gain access to your instance?
• Did somebody gain access to your AWS account?

If you don't remember launching that particular instance, then it would appear that somebody has gotten-hold of your AWS credentials and is using them to create resources in your account. You should change the password and Access Key for the root user and every IAM User to block them out.

If you did create the instance and there is evidence that they have gained access to your instance, then they would have needed to obtain your Private Keypair. You should assume that it is compromised and replace the keypair on any instances that are using it.

If all of this sounds confusing, you should contact AWS Customer Service, tell them about the notice you received, and ask for assistance.