You are trained on data up to October 2023.
I’ve not seen any reports of something like this before. CloudQuery itself doesn’t use other AWS accounts. Could the instance role have been compromised or used in some other way? Do you recognize the account number at all?
@herman The account number isn’t mine (I’ve checked). And I have faced this a couple of months before as well. The setup is a fresh Ubuntu image running CloudQuery using Docker Compose. Unlikely this would be anything else. I’ll keep you posted if I’m able to find something.
Thank you, yes, please keep us posted. If there’s any more information we can provide to help, just let us know.
I joined here to post about this exact same issue, except with AWS account 380789617082, which isn’t used anywhere in our Org.
@crucial-mallard Are you also using the Ubuntu image running CloudQuery? @optimum-racer @crucial-mallard could you post the versions of the image you’re using, as well as the repository it’s being downloaded from? Any other information you can provide would be great, like the plugins you’re running and their versions, as well as the CloudQuery CLI version if applicable.
I’ve reached out to my DevOps counterpart to confirm. Will let you know once they get back to me.
I think the only plugin we had enabled was the AWS plugin, which we configured to look at all tables ["*"] instead of limiting to aws_ec2_instances, aws_s3_buckets, etc.
If you could post your CloudQuery configs with any sensitive information redacted, that would be great as well.
So it’s not running through a container. It’s an Amazon Linux 2 (Amazon provided AMI as well) instance with the binary downloaded using the instructions on the site - CloudQuery Quickstart.
What version of the binary are you using?
And AWS source plugin version as well?
I think the one in the instructions, 4.4.0.
That’s what I meant!
And I’m being told it was the latest version of the plugin available on the website. Don’t have the specific version, sorry.
And are you using the Postgres destination, or something else?
postgres destination. All configured locally. Grafana as well
When was this, today? Or some time ago? Just trying to narrow down what the versions could be.
Yesterday afternoon between 1:30 - 4:30 PM ET, let me double check exactly when my coworker created the binary on the server. It may have been a day or so beforehand before I got to use it.
However, the alerts started once we added the AWS managed policy ReadOnlyAccess to the IAM role associated with the EC2 instance, and started running a new sync on all data in our account.
Apologies for being hesitant in wanting to power the server back online to get specifics. 
The binary was apparently downloaded 2 or 3 days ago.
Totally understand Ok that helps. And were you following a specific tutorial for setting it up?
Yeah, it was the quickstart instructions linked earlier. I thought he may have followed the video you have on YouTube with the deployment in EKS, but it was just a local setup.
How did you create the read-only role?
Standard IAM role in AWS, trust relationship with EC2. Associated the managed policy AWS provides for read-only access.