AWSから「24時間以内にインスタンスを止める」Abuse Reportが届いた【怖すぎる】

  • 2019.04.25

2年前に編集長を務めるTABIPPO.NETが100万PVをさくらからAmazon Web Service(AWS)に移行しました。その後は、試行錯誤しながらも構成を改善して、急なアクセス増加や大量の画像ファイルの読み込みについても処理できるようになりました。

「最近はAWSの管理画面見ながら冷や汗をかくこともなくなったな」と思い返していた冬の日に、1通の見慣れないメールがAWSから届きました。タイトルには「Your Amazon EC2 Abuse Report」と。


AWSから1通目のAbuse Report「お前のサイト、違反してっから」




We’ve received a report(s) that your AWS resource(s)
AWS ID: ■■■■ Region: ■■■■ EC2 Instance Id: ■■■■

has been implicated in hosting a website that may contain content forbidden in the AWS Acceptable Use Policy ( We’ve included the original report below for your review.

Please ensure the reported content is removed or disabled, and reply directly to this email with details of the corrective actions you have taken. If you do not consider the activity described in these reports to be abusive, please reply to this email with details of your use case.

If you’re unaware of this activity, it’s possible that your environment has been compromised by an external attacker, or a vulnerability is allowing your machine to be used in a way that it was not intended.


We are unable to assist you with troubleshooting or technical inquiries. However, for guidance on securing your instance, we recommend reviewing the following resources:



* Amazon EC2 Security Groups User Guide: (Linux) (Windows)

* Tips for Securing EC2 Instances: (Linux) (Windows)

* AWS Security Best Practices:

If you require further assistance with this matter, you can take advantage of our developer forums:

Or, if you are subscribed to a Premium Support package, you may reach out for one-on-one assistance here:

Please remember that you are responsible for ensuring that your instances and all applications are properly secured. If you require any further information to assist you in identifying or rectifying this issue, please let us know in a direct reply to this message.

AWS Abuse

Abuse Case Number: ■■■■



どのくらいの緊急度なのかこれだけじゃわからないから、Googleで検索して下調べのみを進めます。Abuse Reportの


2通目のAbuse Report「インスタンス止めるから、悪く思うなよ」




We’re writing to follow up on your outstanding EC2 abuse reports. We’ve observed Spam Website activity from account ■■■■, and haven’t received a response from you regarding this. Please take corrective measures immediately and reply to this email to notify us that you’ve done so; failure to respond to this notice within 24 hours may result in your instances being isolated.


Instance ID: ■■■■

Please be aware: according to the terms of the AWS License Agreement (, if we continue to see violation of the Acceptable Use Policy (, your instances and account may be subject to termination.

If you’re unaware of the source of the reported abuse, it’s possible that your instance was compromised by an external attacker. The best thing to do in this situation is to back up your data, migrate your applications to a new instance, and terminate the old one.

Please remember that you are responsible for ensuring that your instances and all applications are properly secured.

You can get more information on our security best practices with the following resources:

Tips for securing your EC2 Instance:

Security Best Practices:

EC2 Security Group Documentation:

AWS Security Center:

Best regards,
AWS Abuse Team

Case Number: ■■■■


24時間以内に返信しないとインスタンス止めるの?! いきなりすぎないか。まじかAWS。24時間は極端だとしても、とりあえず確認したことを返信しとかないといけないな。エンジニアチームと優先度上げて対応しよう。






Thank you for responding to this notice.

On further review we found that this notification was sent in error. This content is not in violation of our AUP and no further action is required. This case has been resolved.

(この前のAbuse Reportは間違いだったみたい!特にやることないから、安心してね!)

We apologize for any inconvenience.

Best regards,
AWS Abuse


これまでのメールは文末が「AWS Abuse Team」でしたが、今回だけ「AWS Abuse」です。AWS側も慌てたのかもしれません。何はともあれ、回避したかったAWSによるインスタンスの停止は避けられたのですが、かなりドタバタしました。



AWSによるAbuse Reportの対策

Abuse Reportの内容についての対策は事象ごとになりますが、今回バタバタした理由の1つがAbuse Reportがroot権限者のみに届くようになっていことです。ちょうど海外取材中だったこともあって、気づくのに時間がかかりました。