I have subscribed since 2 years an Amazon S3 glacier service. Two days ago my account has been violated. Someone gained access to my AWS account, changed the reference email, registered charging my credit card tenth of domains, flooded my email for 2 hours with subscription to 200-300 sites. Then I blocked the card and it has been painful to find a way to contact AWS because they only respond to people who has an active account.
Said that, I had no other kind of violations on any of my account/emails.
The question is for me now, how they gained acces to my AWS account. The password was strong.
One concern for me is that I am using rclone to sync S3 glacier. I read that knowing the aws_key, aws_secret hackers can gain acces to AWS account.
Fron your point of view, is there any mechanism they can gain access to AWS using rclone? How the two key are stored in rclone? Do you have any idea on the mechanism they can use to gain access to AWS?
Run the command 'rclone version' and share the full output of the command.
rclone 1.60.1
os/version: unknown
os/kernel: 4.1.51 (aarch64)
os/type: linux
os/arch: arm64
go/version: go1.19.3
go/linking: static
go/tags: noselfupdate
Which cloud storage system are you using? (eg Google Drive)
rclone is NOT source of your problem.
the keys are for accessing buckets/objects, has nothing at all to do with logging into aws website.
has nothing to do with accessing credit cards.
did you crypt the rclone config file?
if not, the keys are stored as plain text.
You are right, I just checked right now the rclone.conf and really the two keys are stored in plain text!
How can I crypt the rclone.conf?
Moreover my rclone is running on Asus RTAX88U. So you are sayint they should have violated my router though? But I don' t see any evidence of that. Or dou you think there could be other way to acces information stored on rclone.conf file?
NO way the keys inside rclone config file can be used to comprise the AWS account.
rclone does not know:
--- your account email address
--- your account password
--- your account two-factor secret
fwiw, hacker got access to your root account,
if you saved that info, uncrypted on your machine, then .....
best not to ever use the root account, never to store that info as plain text.
Sure. I was not saying rclone is the problem!
Are you really sure that knowing the two keys you are not able to use some aws apis to register websites on AWS, so charging the credit card?
Yes, I'm sure it is not rclone and of course I contacted AWS.
If you prefer you can move it to a different section if you think this one is nor correct.
I posted here because I know there are in this forum a lot of great experienced people which managed these staff very well, so I hope that someone could answer to my question:
"Do you know if knowing the two AWS keys someone can gain access to AWS, registering domains, and changing the email associated to my account? The reason is that I didn't see any other security concern in my system except my error to forgot crypting rclone.conf.So I wanna be sure if the way they hacked AWS was this one or I have to look in more detail elsewhere. Thanks for your comprehension
Access to the two keys from the rclone config only gives you API access to what those keys are allowed to access. The trick is to make those keys able to access as little as possible. So tie them down to just S3 or just S3 and one bucket.
You can't use these keys to log into the AWS account so I'd agree with @asdffdsa that the compromise wasn't from the rclone config.
I agree with both Jojo and Nick and noted one thing more:
Seems like someone got access to both your AWS account and your credit card info. Since rclone.conf doesn't store your credit card and it cannot be seen (completely) in the AWS console, you have to look broader for the machine/data that got compromised. Perhaps your AWS account info and credit card info are stored in the same password app/service?
If so, then you may have been more widely compromised than just your router. These are the most obvious possibilities:
The machine(s) used to access your password store is compromised - e.g. your main (Windows/Linux) machine (most likely)
The machine(s) used to store your password store is compromised - e.g. 1password.com (less likely)
The machine(s) used by AWS to handle your account info is compromised (least likely)
Your https communication was compromised by a quantum computer (unlikely)
Thanks a lot Nick!
That is now clear. I was not aware that the two keys allow only acces to the S3 service. That is good and very secure and makes me more comfortable with that.
Ole, unfortunately the way AWS works is that you store your credit card on AWS so they automatically charge your credit card when a service is requested. Not sure if I can remove my credit card because I have monthly payments for S3.
I don't have passsword stored on my machine
I use Bitwarden to store around 300 passwords but I don't have evidence of other violation on other accounts
What do you mean when you write that your credit card was used to sign up for subscription of 200-300 sites?
a) That somebody got access to your credit card information (number, expiry and 3 digit code) and used that on other sites?
b) That somebody used your AWS account to sign up for additional AWS services (charging the associated credit card)?
Sorry, but that doesn't prove that somebody didn't get access to your Bitwarden account (e.g. by compromising the machine used to access it). Do you have 2FA on your Bitwarden account?
Another possibility is that somebody compromised your computer while it was logged into your AWS account. (physically or using malware)
Not sure if the IAM user or the root user.
But for sure one of the two can do that, otherwise the hacker could not have enabled additional services.
Anyway, even if I could disable the possibility to buy additional services, I guess that if the hacke has access to AWS can change this settings, hasn't he?
AWS is sooo complicated that sometimes I get lost!
OK, sound like these are the most likely possibilities:
somebody got access to the AWS role used in your rclone.config on the router which had access to buy additional AWS services, seems like this could be the case - perhaps you used your root account. See below.
somebody got access to the AWS role used in your rclone.config on the router and used it to find your account name and then guessed/brute forced your AWS password (assuming no 2FA enabled on the root account). I therefore suggest you activate MFA on your AWS root account as a proactive security measure.
somebody got access to your Bitwarden, but only used your AWS account (sofar). I therefore suggest you change all important passwords stored in Bitwarden as a proactive security measure.
I fully agree setting up a secure S3 storage is far from the simplicity of e.g. Google Drive.
I am still an S3 beginner and only using it for tests now and then, but here is the setup I made for your inspiration:
I created one IAM user called "rclone-test" and assigned this simple policy:
and then used this IAM users access_key in rclone.
The profile is Inspired by the rclone S3 docs and some forum posts. I would consider locking it down to only the relevant bucket if I had multiple buckets and important data.
Ole, thanks a lot for your feedback.
Yes, as soon as I can I will better check the rights of the token I generated for S3.
Yes, considering the possibility of violation of Bitwarden I already changed the password for the most important sites...still keeping going following priorities
I will allso have a look to the configuration of IAM user for S3.
Thanks a lot again
I will keep you informed in case of evolution.
The good thingh is that few minutes ago AWS refunded me the 165€ stolen by my credit card before blocking it!
