AWS console login from an EC2 instance
Description
AlphaSOC detected an AWS console login originating from an Elastic Compute Cloud (EC2) instance. This activity is unexpected as AWS console access typically occurs from authorized workstations or through approved remote access methods. Logging into the AWS console from an EC2 instance may indicate that an adversary has gained access to the instance. Actions initiated by AWS services are exempt from the detection to avoid false positives.
Impact
An unauthorized AWS console login from an EC2 instance can lead to significant security risks. The threat actor may gain access to sensitive AWS resources, modify configurations, create new resources, or exfiltrate data. This activity could result in data breaches, service disruptions, or unauthorized use of AWS services.
Severity
Severity | Condition |
---|---|
High | Console login originating from an EC2 instance |
Investigation and Remediation
Investigate the EC2 instance, including its security group settings, running processes, and access logs. Review AWS CloudTrail logs to identify any suspicious activities performed during the console session. If compromise is confirmed, isolate the instance, revoke active access keys, rotate all affected credentials, and consider terminating the instance.
Known False Positives
- Misconfigured VPN or proxy settings routing legitimate user traffic through an EC2 instance