AWS Suspect Credential Access from EC2

View all detections
AWS Suspect Credential Access from EC2


  • A set of AWS control plane APIs commonly used to search EC2 user data on EC2 resources for credentials was invoked in an unusual way that may be associated with a potential attack.

Possible Root Causes

  • An attacker is searching for credentials inside of the EC2 user data to pivot in the environment.
  • An authorized administrator is performing an unusual activity commonly associated with attack progression.

Business Impact

  • Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • Validate that any modifications are authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.