AWS Suspect Traffic Mirror Creation

View all detections
AWS Suspect Traffic Mirror Creation


  • An AWS control-plane API was invoked, which leveraged an EC2 instance as a traffic mirroring target. This suggests a malicious network traffic session will be created, mirroring traffic to the target EC2 instance.

Possible Root Causes

  • A malicious actor is mirroring network traffic to an attacker controlled EC2 in order to steal credentials like passwords and further pivot into the environment.
  • An administrator may have intentionally configured an EC2 as a traffic mirroring target as part of normal operations.

Business Impact

  • Malicious traffic mirroring can be extremely impactful as the traffic moving within VPCs is frequently unencrypted. This is common due to the cloud network design practice of terminating SSL/TLS encryption at load balancers.
  • Stolen credentials sniffed from a network can further an attack campaign, impacting the confidentially of data stored on impacted systems.
  • When confidentially of data is affected, there may be regulatory or compliance implications for the business.

Steps to Verify

  • Investigate the Principal that performed the actions for other signs of malicious activity.
  • Validate that the creation of the traffic mirroring target is authorized, given the purpose and policies governing this resource.
  • Review CloudTrail logs to determine if a traffic mirroring session was established and is authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configurations were made:
    - Revert any configuration changes.
    - Terminate any traffic mirroring session created by the Principal.
    - Disable credentials associated with this alert.
    - Perform a comprehensive investigation to determine initial compromise and if network traffic from the source EC2 instance was encrypted in transit.