Many actions would be necessary, it depends on how the AWS account was affected, however, in most cases an AWS account is compromised because of an exposed IAM identity access like Console User Access, AccessKey, or Root Account. When a Root Account is exposed because of no MFA enabled, it's the hardest one to handle, especially when the customer doesn't have an AWS support plan, as AWS delays the answer and resets the password, as it's the Root account we can't block the actions without having the Root account access back.

What you should do

• Reset all Users, AccessKey, reset MFA, and set MFA in all users (it shall be already in place actually),
• Validate all IAM Roles looking for a no authorised identity in the "Trust policy",
• Validate all regions and resources looking for any resources that could be created by the attacker,
• Also, monitor the account by enabling AWS Config, creating Billing Alerts for estimated charges,
• Implement Organizational Security Control Policies (SCP), for example:
  • Prevent users from disabling AWS Config or changing its rules
  • Prevent users from disabling GuardDuty or modifying its configuration
  • Deny access to AWS based on the requested AWS Region
• Report the security issue for AWS straight away, AWS will also monitor the account, and if necessary, you can ask for a billing review.

It's important to know that in most cases when AWS notes an exposed identity and/or unusual behaviour like a creation of an unusual amount or type of resources in an AWS account (normally for bitcoin miners) they block the creation of new computer resources, like EC2, ECS, and Lambdas.

Who can help you

DNX Team, AWS Support, and  TAM from AWS if you have one.

Tools

Cloud Conformity by Trend Micro:

https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/

https://www.cloudconformity.com/identity/sign-in.html

Destroy AWS resources:

Caution! Be aware that AWS Nuke is a very destructive tool, hence you have to be very careful while using it, otherwise you might delete production data.

https://github.com/rebuy-de/aws-nuke

Example:
nuke -c config-file.yaml --access-key-id ##### --secret-access-key ###### --no-dry-run

config-file.yaml

regions:
- us-east-1

accounts:
"555555555555": {} # master

account-blocklist:
- "999999999999" # production

resource-types:
targets:
- EC2Instance
- EC2VPC
excludes:
- "IAM*"

References

Best Practices of Managing your Access Keys below:

http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html

MFA for IAM users:

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html

Trail of API actions:

https://aws.amazon.com/cloudtrail/

Monitor estimated charge with alerts on billing:

http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/gs_monitor_estimated_charges_with_cloudwatch.html#gs_creating_billing_alarm

AWS Support Plan and Trusted Advisor:

https://aws.amazon.com/premiumsupport/trustedadvisor/

Security Hub for monitoring unusual and insecure behaviour (GuardDuty, AWS Config, IAM Access Analyzer):

https://aws.amazon.com/security-hub/

AWS Security Best Practices and Policies:

https://aws.amazon.com/compliance/shared-responsibility-model/

SCP Policy:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html