AWS Suspect Credential Access from EC2
Detection overview
Triggers
- A set of AWS control plane APIs commonly used to search EC2 user data on EC2 resources for credentials was invoked in an unusual way that may be associated with a potential attack.
Possible Root Causes
- An attacker is searching for credentials inside of the EC2 user data to pivot in the environment.
- An authorized administrator is performing an unusual activity commonly associated with attack progression.
Business Impact
- Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Validate that any modifications are authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Credential Access from EC2
Possible root causes
Malicious Detection
Benign Detection
AWS Suspect Credential Access from EC2
Example scenarios
AWS Suspect Credential Access from EC2
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Suspect Credential Access from EC2
Steps to investigate
AWS Suspect Credential Access from EC2
Related detections
No items found.