AWS Suspicious Credential Usage

View all detections
AWS Suspicious Credential Usage


  • EC2 generated temporary credential used outside of EC2.

Possible Root Causes

  • An attacker has extracted a temporary credential from an EC2 instance and is using it to further their attack.
  • An application is using temporary credential generation via EC2s in an unusual way.

Business Impact

  • Attackers may use temporary credentials as a means of maintaining persistent command and control in an environment, which increases the risk of data loss or impacted assets and services.

Steps to Verify

  • Review the actions being undertaken by the credential after the identified activity and potential risk posed by that access.
  • Discuss with the EC2 instance owners to determine if the use of instance generated temporary keys outside of EC2 is known and legitimate.
  • If the review determines there is a high risk to data or the environment, disable the credentials and perform a comprehensive investigation.