I have subscribed since 2 years an Amazon S3 glacier service. Two days ago my account has been violated. Someone gained access to my AWS account, changed the reference email, registered charging my credit card tenth of domains, flooded my email for 2 hours with subscription to 200-300 sites. Then I blocked the card and it has been painful to find a way to contact AWS because they only respond to people who has an active account.
Said that, I had no other kind of violations on any of my account/emails.
The question is for me now, how they gained acces to my AWS account. The password was strong.
One concern for me is that I am using rclone to sync S3 glacier. I read that knowing the aws_key, aws_secret hackers can gain acces to AWS account.
Fron your point of view, is there any mechanism they can gain access to AWS using rclone? How the two key are stored in rclone? Do you have any idea on the mechanism they can use to gain access to AWS?
Run the command 'rclone version' and share the full output of the command.
os/kernel: 4.1.51 (aarch64)
Which cloud storage system are you using? (eg Google Drive)
You are right, I just checked right now the rclone.conf and really the two keys are stored in plain text!
How can I crypt the rclone.conf?
Moreover my rclone is running on Asus RTAX88U. So you are sayint they should have violated my router though? But I don' t see any evidence of that. Or dou you think there could be other way to acces information stored on rclone.conf file?
Yes, I'm sure it is not rclone and of course I contacted AWS.
If you prefer you can move it to a different section if you think this one is nor correct.
I posted here because I know there are in this forum a lot of great experienced people which managed these staff very well, so I hope that someone could answer to my question:
"Do you know if knowing the two AWS keys someone can gain access to AWS, registering domains, and changing the email associated to my account? The reason is that I didn't see any other security concern in my system except my error to forgot crypting rclone.conf.So I wanna be sure if the way they hacked AWS was this one or I have to look in more detail elsewhere. Thanks for your comprehension
Access to the two keys from the rclone config only gives you API access to what those keys are allowed to access. The trick is to make those keys able to access as little as possible. So tie them down to just S3 or just S3 and one bucket.
You can't use these keys to log into the AWS account so I'd agree with @asdffdsa that the compromise wasn't from the rclone config.
I agree with both Jojo and Nick and noted one thing more:
Seems like someone got access to both your AWS account and your credit card info. Since rclone.conf doesn't store your credit card and it cannot be seen (completely) in the AWS console, you have to look broader for the machine/data that got compromised. Perhaps your AWS account info and credit card info are stored in the same password app/service?
If so, then you may have been more widely compromised than just your router. These are the most obvious possibilities:
The machine(s) used to access your password store is compromised - e.g. your main (Windows/Linux) machine (most likely)
The machine(s) used to store your password store is compromised - e.g. 1password.com (less likely)
The machine(s) used by AWS to handle your account info is compromised (least likely)
Your https communication was compromised by a quantum computer (unlikely)
Ole, unfortunately the way AWS works is that you store your credit card on AWS so they automatically charge your credit card when a service is requested. Not sure if I can remove my credit card because I have monthly payments for S3.
I don't have passsword stored on my machine
I use Bitwarden to store around 300 passwords but I don't have evidence of other violation on other accounts
What do you mean when you write that your credit card was used to sign up for subscription of 200-300 sites?
a) That somebody got access to your credit card information (number, expiry and 3 digit code) and used that on other sites?
b) That somebody used your AWS account to sign up for additional AWS services (charging the associated credit card)?
Sorry, but that doesn't prove that somebody didn't get access to your Bitwarden account (e.g. by compromising the machine used to access it). Do you have 2FA on your Bitwarden account?
Another possibility is that somebody compromised your computer while it was logged into your AWS account. (physically or using malware)
OK, sound like these are the most likely possibilities:
somebody got access to the AWS role used in your rclone.config on the router which had access to buy additional AWS services, seems like this could be the case - perhaps you used your root account. See below.
somebody got access to the AWS role used in your rclone.config on the router and used it to find your account name and then guessed/brute forced your AWS password (assuming no 2FA enabled on the root account). I therefore suggest you activate MFA on your AWS root account as a proactive security measure.
somebody got access to your Bitwarden, but only used your AWS account (sofar). I therefore suggest you change all important passwords stored in Bitwarden as a proactive security measure.
I fully agree setting up a secure S3 storage is far from the simplicity of e.g. Google Drive.
I am still an S3 beginner and only using it for tests now and then, but here is the setup I made for your inspiration:
I created one IAM user called "rclone-test" and assigned this simple policy:
Ole, thanks a lot for your feedback.
Yes, as soon as I can I will better check the rights of the token I generated for S3.
Yes, considering the possibility of violation of Bitwarden I already changed the password for the most important sites...still keeping going following priorities
I will allso have a look to the configuration of IAM user for S3.
Thanks a lot again
I will keep you informed in case of evolution.
The good thingh is that few minutes ago AWS refunded me the 165€ stolen by my credit card before blocking it!