What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS Abuse Prevention: Protecting Your Account from AUP Violations

AWS's Acceptable Use Policy prohibits using AWS services for activities that harm others or violate laws. The relevant categories for account security are primarily network abuse (launching attacks, port scanning third parties, DDoS participation), email abuse (spam, phishing), and resource abuse (unauthorized mining using compromised accounts). What makes AUP enforcement particularly consequential is that AWS doesn't always distinguish between intentional policy violations and compromised accounts where a third party caused the violation.

An account owner whose credentials were stolen and used to launch a DDoS attack may receive the same abuse notification as someone intentionally running DDoS infrastructure. The response process is different — demonstrating you were compromised rather than acting maliciously — but the initial impact (service disruption, account review, potential suspension) is similar. Preventing the abuse in the first place is better than explaining it afterward.

Common Sources of AWS Abuse Notifications

Email spam: Unauthorized use of SES to send spam is one of the most reported abuse categories. A compromised account with SES sending enabled can send millions of spam emails before being detected. AWS receives complaints directly from spam filtering services and ISPs via feedback loops, triggering immediate investigation. See SES account suspension for the full picture of SES abuse prevention.

Network scanning and DDoS: EC2 instances used for port scanning against third-party IP addresses, or participating in DDoS attacks, generate abuse reports from target organizations who trace attacks to AWS IP addresses. These are typically spotted quickly because network-level attacks generate obvious traffic patterns visible in VPC Flow Logs and trigger GuardDuty findings.

Malware hosting: S3 buckets used to host malware, phishing pages, or exploit kits generate abuse reports from security researchers and anti-malware services. Public S3 buckets with no legitimate content that appear in malware tracking databases attract attention. See S3 public access detection for preventing inadvertently public buckets.

Cryptocurrency mining: The most financially motivated form of account abuse. AWS proactively monitors for mining activity and will act on accounts where mining is detected. See crypto mining detection for the prevention and response guide.

Monitoring for Abuse Indicators

Build monitoring that detects the behaviors that would trigger external abuse reports before those reports reach AWS:

SES sending anomalies: Monitor SES complaint rate and bounce rate hourly (not daily). A complaint rate spike from 0.01% to 0.5% within an hour indicates something unusual with SES sending. Configure CloudWatch alarms on these metrics with appropriate thresholds.

Outbound connection patterns: VPC Flow Logs show outbound connections from your EC2 instances. Legitimate workloads have predictable outbound patterns — connections to known APIs, databases, and services. A sudden burst of outbound connections to thousands of distinct IP addresses indicates port scanning. GuardDuty's recon findings cover many of these patterns, but custom flow log analysis can detect patterns GuardDuty might miss.

S3 public bucket content scanning: For S3 buckets that are intentionally public (hosting static websites, public downloads), scan content periodically to verify it hasn't been modified to host malicious content. Attackers who gain write access to a public S3 bucket sometimes add malicious files alongside legitimate ones. AWS Config tracks S3 bucket policy changes, so enable alerts on any modification to a public bucket's policy or contents.

Responding to AWS Abuse Notifications

AWS abuse notifications arrive via the email address registered to your account and appear in the AWS Support console. When you receive one:

Step 1: Triage immediately. Determine whether the report is about intentional activity (someone on your team doing something they shouldn't) or attack-related (your account was compromised and used to attack others). Check the specific resource mentioned in the abuse report and compare to your asset inventory.

Step 2: Take corrective action. For compromised account scenarios: disable the compromised credential, terminate the offending resources, document the incident. For misconfiguration scenarios (accidentally public S3 bucket with unauthorized content): correct the configuration, understand how it happened, prevent recurrence.

Step 3: Respond to AWS. AWS abuse notifications typically require a response acknowledging the issue and describing corrective actions. A detailed, timely response that demonstrates understanding of the root cause and implemented fixes is the most effective way to resolve abuse reports quickly. Vague or slow responses result in extended review periods and potential service restrictions.

Proactive Reputation Monitoring

Your AWS account's EC2 instances use IP addresses from Amazon's IP ranges. These IP addresses have reputations that can be checked against public threat intelligence lists. An IP that was used for spam by a previous user of the same IP range may already be on blocklists when you start using it.

Tools like MXToolbox, Spamhaus, and Barracuda Central provide blocklist checking for IP addresses. For accounts with SES sending needs, check your SES sending IPs against major blocklists periodically. If an IP you use is blocklisted, you can request a fresh IP from SES (using a dedicated IP) or use Elastic IPs for EC2 resources that need clean reputation.

FAQ

What happens if I don't respond to an AWS abuse notification?

Failing to respond to abuse notifications within AWS's expected timeframe (typically 24-48 hours for most abuse types) escalates the case. AWS may restrict specific services (SES sending, EC2 in specific regions), place the account under enhanced review, or in serious cases suspend the account. Responding promptly and substantively — even if you're still investigating — is better than silence.

Can abuse in one account affect other accounts in my AWS Organization?

AWS evaluates accounts individually, but serious abuse in one account can trigger review of the entire organization. If AWS determines that a pattern of abuse exists across multiple accounts under the same organization, they may apply account-level restrictions more broadly. This is one reason to take even isolated account compromises seriously and address them completely rather than accepting limited impact.

Is there a way to prevent abuse without knowing what attack vector was used?

Yes — defense in depth. Apply the preventive controls that address the most common attack vectors: eliminate long-lived access keys (use roles), require MFA for all human access, restrict high-risk instance types with SCPs, enable GuardDuty in all regions, monitor SES reputation metrics. These controls collectively prevent the most common paths to abuse, even without knowing which specific vector would be exploited. Vigilare monitors all these controls and alerts on gaps that increase abuse risk.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO