Real-World AWS Account Compromises and How Lacework Stops Them

I’m excited and proud to announce that Lacework’s Polygraph technology is now available to protect your AWS account. If you’re an AWS customer, you already know you’re on the hook to secure your own data. Under Amazon’s shared security model, you’re also responsible for the security of your AWS account. Think of it this way: your data, applications, and workloads are your “data plane” and your AWS account is your “control plane.” You have to protect them both.

Amazon recommends using AWS CloudTrail data to protect your AWS account. CloudTrail logs all account activity (potentially millions of log lines each day), but it’s still up to you to interpret the data. That’s where our security solution for AWS CloudTrail comes in. With Lacework, you can:

  • Easily visualize AWS account behaviors and activities
  • Automatically detect behavior and usage anomalies and receive alerts
  • Quickly investigate your account and determine what happened

Gone are the days when your security team either ignored CloudTrail for lack of bandwidth or spent several hours per day investigating alerts that ended up being false positives.

Attacks on AWS accounts are different from attacks on your workloads. To show what can happen when your account is compromised, here are three true-crime tales of actual AWS account compromises and the devastating results:

Theft of AWS Computing Resources

Bitcoin mining turns compute cycles directly into digital cash, but mining with your own computer costs money. For the enterprising cybercriminal looking to maximize profits, compromised public cloud accounts make mining cost-free. It’s the ideal way to monetize stolen credentials.

In 2014 and 2015, cybercriminals found cleartext AWS account credentials in source code published on GitHub. A rash of bitcoin mining ensued as miners made the most of their discovery. Here’s a bill to one such customer – as you can see, their EC2 costs went from $5.93 to $5,360.00. Somewhere, someone is rolling in sweet, sweet bitcoin…


With Lacework, you’ll spot unauthorized new compute entities immediately before your compute costs get out of hand.

Cyber Extortion

As more and more critical operations transition to the cloud, extortion gets more and more interesting to cybercriminals. Consider the extreme case of a born-in-the-cloud software services company operating entirely from AWS. An attacker using stolen credentials gained control of their service and held it hostage for ransom. The company fought back by shutting down the account – but the adversary, anticipating that move, had set up more admin accounts. Every time they down one account, another one went into action.

Eventually, the attacker tired of the game and deleted the company’s AWS entities. They were finished. The entire incident, from the initial attack to the company’s demise, lasted less than 18 hours.

Just a couple of months ago, the Petya ransomware attack led one firm to greet arriving employees with the following message. Even if your company survives, cyber extortion disruptions are very real:


In this case, Lacework alerts would have notified you the moment the attacker created new accounts and modified privileges. This attack could have been stopped before it even got underway.

Theft of Data

Earlier this year, several large organizations found themselves in the news for exposing millions of sensitive records on AWS. Each company made the same mistake: they misconfigured data stores for “semi-private” access, which allowed any AWS account – even those not affiliated with the company – to see data. Millions of records were exposed through simple human error.

The cloud amplifies these vulnerabilities. In an on-premises data center, security measures and implementation details are unique to each organization. Now, cloud databases can be in direct contact with the Internet at all times, and everyone uses the same AWS tools and technologies. So when criminals (or even researchers) find one misconfigured entity, dozens with the same problem are instantly exposed.

Since human error is behind the vast majority of security incidents there’s really no mitigating these types of vulnerabilities. (Verizon’s own DBIR annually reports “misconfigurations” as a leading problem. No, the irony is not lost on us.)


An attack on your AWS account can be just as devastating as an attack on your workloads. With Lacework, you can protect them both.

Lacework’s powerful Polygraph technology keeps you safe without rules, policies, or log analysis. Start a free trial now. Before the end of the day, you’ll be visualizing AWS account activities and identifying potential security incidents – all without developing rules or policies and without lengthy configuration and setup tasks.