You set up various AWS resources in your AWS account, including EC2, RDS MySQL, DynamoDB, etc. Your billing alarm has been triggered and the AWS cost is increasing abnormally. You also get a notification from AWS that your AWS account may be compromised. As an AWS administrator, you need to take action immediately. Which of the following actions are appropriate? (Select Three.)

Answer options:

A.Change your AWS account root user password.
B.Delete all AWS EC2 resources even if you are unsure if they are compromised or not.
C.Rotate and delete root and all IAM access keys.
D.Respond to any notifications you received from AWS Support.
E.Enable AWS Shield Advanced to protect the EC2 resources from DDoS attacks.

Answer – A, C, and D
Option A is CORRECT because the AWS root account has complete access to AWS resources, services, and billing. Changing your AWS account root user password is necessary to protect your AWS account from being compromised.
Option B is incorrect because it is not suitable to delete all resources at this stage. Instead, you should delete any resources on your account you didn`t create, such as EC2, EBS, IAM resources, etc.
Option C is CORRECT because, with AWS access keys, anyone can have access to your AWS resources using AWS CLI and can compromise your account. Rotating the used IAM access keys is considered the best practice from AWS.
Option D is CORRECT because you should sign in to the AWS Support Center, check the notification detail, and respond to it.
Option E is incorrect because protecting from DDoS attacks is not urgent when the AWS account is compromised. The account may be compromised by many other services such as IAM and S3 and not just by EC2 instances.
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/.