How to Investigate Abnormal Billing Increase in AWS SNS

dHill · September 22, 2023, 6:14pm

[SNS]

Hello everybody. Hope you’re doing great.
I noticed an abnormal billing increase in the SNS service. Looks like a “hacking” because billing shows thousands of SMS’s to France

I noticed all the Cloudwatch logs and I got even the number where the subscription was made
Cloudtrail just shows which user had the sns permissions, which services used sns but does not show why the SMS were sent to France or how.

How could I get more insights regarding this issue?

Is there any service where I could dive deeper?

Looking forward to your response.

Thanks in advance!

pOdom · September 22, 2023, 6:52pm

First thing I would check is if your devs have some hard coded “test” number, especially if they’re all to the same number in France

pOdom · September 22, 2023, 7:24pm

Like in the US testing it’s common to see something like tel:5555555555|555-555-5555 as a place holder for testing

pOdom · September 22, 2023, 7:35pm

Could also be someone spun up a phone number for testing, like a virtual number in twilio, mailosaur, etc

pOdom · September 22, 2023, 7:37pm

If you’re very confident it’s a compromise I would immediately contact your AWS rep and any internal security resources you have access to

pOdom · September 22, 2023, 8:25pm

Better safe than sorry and this could be an all hands on deck kind of issue if it really is an account compromise

pOdom · September 22, 2023, 9:18pm

Here’s also a blog post that may help you get more details about the messages
https://repost.aws/knowledge-center/monitor-sns-texts-cloudwatch|https://repost.aws/knowledge-center/monitor-sns-texts-cloudwatch

dHill · September 22, 2023, 10:17pm

Thanks a lot for your help

pOdom · September 22, 2023, 10:29pm

Interested to hear updates when you figure it out