Containing an AWS account breach and restoring stability within hours

Industry:

Food & Beverage

Headquarters:

Bangalore, Karnataka

Founded in:

2014

Company Size:

500+ Employees

Featured Tags:

Overview

The customer is a leading Indian food-tech platform focused on delivering freshly prepared, globally inspired meals. Running production workloads on Amazon Web Services, their infrastructure was built for rapid product development and high-growth operations.

However, as the platform scaled, security monitoring and incident response capabilities did not evolve at the same pace. Operating without a defined response framework or proactive alerting, the team lacked the visibility and control required to manage active security threats.

Challenges

When suspicious activity emerged, the team faced an active account compromise with limited visibility and response mechanisms:

Unauthorized infrastructure provisioning across multiple AWS regions in real time
Rapidly escalating cloud costs due to malicious resource creation
No visibility into access points, affected services, or blast radius
Lack of centralized logging and tooling to investigate account activity
Limited escalation support due to absence of AWS Premium Support

Immediate containment and investigation were critical to prevent further impact.

The Solution

Solution: Partner-led Support

As part of the Partner-led Support program, the Cloud Reliability Engineering team from CloudKeeper initiated a structured, multi-stage response to investigate, contain, and secure the environment.

Forensic Investigation

Leveraged AWS CloudTrail logs to reconstruct the sequence of events and identify the source of compromise
Detected exposure of an IAM access key used from unauthorized IP addresses
Mapped API activity to understand how infrastructure was provisioned across regions

Blast Radius Identification

Developed automation scripts to scan all enabled AWS regions
Identified unauthorized resources across Amazon EC2, AWS Auto Scaling, and Amazon ECS
Established complete visibility into impacted infrastructure and scope of compromise

Containment and Remediation

Revoked compromised IAM credentials immediately
Removed all unauthorized resources after validation
Coordinated with AWS to lift temporary account restrictions
Completed containment and remediation within hours of engagement

Security Hardening

Reviewed IAM policies and enforced least-privilege access controls
Improved monitoring and logging visibility for proactive detection
Prepared audit-ready documentation to support AWS refund claims
Strengthened overall security posture to prevent future incidents

CloudKeeper executed a rapid, structured incident response to investigate the breach, contain unauthorized activity, and restore full account stability.

Values Delivered Description

Values Delivered

With CloudKeeper, the customer achieved:

Description

Rapid containment of active security breach

Description

Audit-ready documentation for cost exposure and refunds

Description

Complete removal of unauthorized infrastructure

Description

Strengthened IAM and monitoring controls

Description

Restored account stability within hours

Conclusion

CloudKeeper helped the customer contain a live AWS account compromise by combining rapid forensic analysis, automated discovery, and structured remediation. What began as an uncontrolled breach was quickly transformed into a fully contained and stabilized environment.

With improved security controls, better visibility, and a hardened cloud foundation, the customer is now better equipped to detect, respond to, and prevent future threats with confidence.

Talk to our team