Skip to main content

AWS console login from an EC2 instance

ID:aws_console_login_ec2
Data type:AWS CloudTrail
Severity:
High
MITRE ATT&CK:TA0003:T1078.004

Description

AlphaSOC detected an AWS console login originating from an Elastic Compute Cloud (EC2) instance. This activity is unexpected as AWS console access typically occurs from authorized workstations or through approved remote access methods. Logging into the AWS console from an EC2 instance may indicate that an adversary has gained access to the instance. Actions initiated by AWS services are exempt from the detection to avoid false positives.

Impact

An unauthorized AWS console login from an EC2 instance can lead to significant security risks. The threat actor may gain access to sensitive AWS resources, modify configurations, create new resources, or exfiltrate data. This activity could result in data breaches, service disruptions, or unauthorized use of AWS services.

Severity

SeverityCondition
High
Console login originating from an EC2 instance

Investigation and Remediation

Investigate the EC2 instance, including its security group settings, running processes, and access logs. Review AWS CloudTrail logs to identify any suspicious activities performed during the console session. If compromise is confirmed, isolate the instance, revoke active access keys, rotate all affected credentials, and consider terminating the instance.

Known False Positives

  • Misconfigured VPN or proxy settings routing legitimate user traffic through an EC2 instance