How to Investigate Abnormal Billing Increase in AWS SNS

[SNS]

Hello everybody. Hope you’re doing great.
I noticed an abnormal billing increase in the SNS service. Looks like a “hacking” because billing shows thousands of SMS’s to France

I noticed all the Cloudwatch logs and I got even the number where the subscription was made
Cloudtrail just shows which user had the sns permissions, which services used sns but does not show why the SMS were sent to France or how.

How could I get more insights regarding this issue?

Is there any service where I could dive deeper?

Looking forward to your response.

Thanks in advance!

First thing I would check is if your devs have some hard coded “test” number, especially if they’re all to the same number in France

Like in the US testing it’s common to see something like tel:5555555555|555-555-5555 as a place holder for testing

Could also be someone spun up a phone number for testing, like a virtual number in twilio, mailosaur, etc

If you’re very confident it’s a compromise I would immediately contact your AWS rep and any internal security resources you have access to

Better safe than sorry and this could be an all hands on deck kind of issue if it really is an account compromise

Here’s also a blog post that may help you get more details about the messages
https://repost.aws/knowledge-center/monitor-sns-texts-cloudwatch|https://repost.aws/knowledge-center/monitor-sns-texts-cloudwatch

Thanks a lot for your help

Interested to hear updates when you figure it out