[NorwegianDude]

That really sucks and is the risk of using cloud solutions with no spending limit and a lack of monitoring.

You should still have someone to keep an eye on it when using cloud solutions. And when you already have someone to keep an eye on it there's a good chance you might be better off managing the infrastructure yourself.

[highwaylights]

Not really sure how this exact scenario works but if their account was legitimately hacked couldnt the hacker just remove the caps?

[ownagefool]

So it depends how and what gets hacked.

The type of company posting about getting hacked like this is probably using the root / admin accounts to do most things. Their lowest hanging fruit and biggest wins would probably MFA, then SSO.

However, IAM is generally powerful enough to allow you to configure what an account can do.

So best practice, you also want to think about how you're going to lose credentials.

- Sharing passwords across services - leak of your .dotfiles, either by having your laptop pwned, or uploading your .dotfiles to a public repo as a backup or something. - Accidently pasting into the wrong window or something.

SSO & MFA defeats all of these with exception that your sts token will be signed for 1h in those .dotfiles when you auth yourself. I'm not sure what happens if you remove it from the token from the device, but the device itself being compromised would allow someone to piggy back your session.

Ergo, you move to least privilege access, and then if your laptop, server, or ci/cd runner gets hijacked, then it's only able to do whatever it was allowed to do in the first place.

The last part is you need to detect the misuse.

When you have least privileged access, and a pretty locked down account, the hope is when a session is hijacked, the attacker will attempt to use the credentials and get an access denied. This should allow you to detect and remediate the reason for leak.

Obviously this turns your cloud install into a lot more work, and you still also need to look at maintaining and patching the actual services so they're not compromised in the first place.

[Cthulhu_]

In theory, yes. Which brings us to the question of liability in the case of hacking.

On the one side, if you got hacked to that degree - root account, MFA, e-mail, etc - you really fucked up, to be very blunt.

On the other, it's down to Microsoft to provide good security and protections - e.g. spending limits, with a "contact us" and mandatory waiting period if you're about to go e.g. 10x over what you normally pay.

Banks (at least here) offer you a kind of insurance; if you get hacked, they can lock your account and return you your money. Their reasoning there is that they messed up and didn't make it obivious enough that you're about to, for example, send X amount of money away. (this is one reason why cryptocurrencies will never replace banks)

[imadethis]

Removing the caps should trigger an out-of-band notification such as an email to all stakeholders, ensuring the legit admins will be notified. This should also be the case for admin removal or disabling billing alerts. I have no idea if Azure actually does this though.