Service Domain Incidents - AWS Security Incident Response Guide

Service Domain Incidents

Service domain incidents are typically handled exclusively through AWS APIs.


AWS provides APIs to our cloud services that are used by millions of customers to build new applications and drive business outcomes. These APIs can be invoked through many methods, such as by software development kits (SDKs), the AWS CLI, and the AWS Management Console. To interact with AWS through these methods, the IAM service helps you securely control access to AWS resources. You can use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources at the Account Level. For a list of AWS services that you can use with IAM, see AWS Services That Work with IAM.

When you first create an AWS account, you begin with a single sign-on (SSO) identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you do not use the root user for your everyday tasks, and particularly not for administrative tasks. Instead, we recommend that you follow the best practice of using the root user only to create your first IAM user, securely store the root user credentials, and perform only a few account and service management tasks. For more information, see Create Individual IAM Users.

Although these APIs provide value to millions of customers, some of them can be abused if the wrong individuals get access to your IAM account or root credentials. For example, you can use the APIs to enable logging within your account, such as AWS CloudTrail. However, if attackers get your credentials, they can also use the API to disable these logs. You can prevent this type of abuse by configuring appropriate IAM permissions that follow a least privilege model, and by properly protecting your IAM credentials. For more information, see IAM Best Practices in the AWS Identity and Access Management User Guide. If this type of event does occur, there are multiple detective controls to identify that your AWS CloudTrail logging was disabled, including AWS CloudTrail, AWS Config, AWS Trusted Advisor, Amazon GuardDuty, and AWS CloudWatch Events.


Other features that can be abused or misconfigured vary from organization to organization, based on how each customer operates in the cloud. For example, some organizations intend to make certain data or applications publicly accessible, while others keep their applications and data internal and confidential. Not all security events are malicious in nature; some events might result from unintentional or improper configurations. Consider which APIs or features have a high impact to your organization, and whether you use them frequently or infrequently.

You can identify many security misconfigurations using tools and services. For example, AWS Trusted Advisor provides a number of checks for best practices. APN Partners also offer hundreds of industry-leading products that are equivalent, identical to, or integrate with existing controls in your on-premises environments. A number of these products and solutions have been prequalified by the AWS Partner Competency Program. We encourage you to visit the Configuration and Vulnerability Analysis section of the APN Security Competency program to browse these solutions and to determine if they can satisfy your requirements.