AWS Suspect Discovery From EC2 Instance

Triggers

• A set of AWS control-plane APIs were invoked from an EC2 instance which enumerated the configuration details about cloud environment.

Possible Root Causes

• An attacker may have compromised an EC2 instance and be actively looking for opportunities to escalate their permissions by enumerating details of the environment such as the IAM Users, Roles, S3 Buckets and Logging configuration.
• An application hosted on the EC2 instance maybe be intentionally programmed to invoke AWS control-plane APIs associated with environment reconnaissance leveraging the Instance Profile credentials available on the instance.

Business Impact

• Reconnaissance of the environment from an EC2 instance may indicate an adversary has compromised the EC2 instance and is gaining details necessary to support additional malicious activities within the environment.

Steps to Verify

• Investigate the Instance Profile that performed the action for other signs of malicious activity.
• Identify the EC2 instances associated with the suspicious Instance Profile and review them for other signs of malicious activity.
• If any modifications were made to the environment by the suspicious Instance Profile, validate they are authorized, given the purpose and policies governing this resource.
• If review indicates possible malicious actions or high-risk configuration:
  - Revert any configuration changes.
  - Disable credentials associated with the Instance Profile.
  - Perform a comprehensive investigation to determine initial compromise and scope of impacted resources.

‍