Skip to main content

Connection to an EC2 instance using EC2 Instance Connect

ID:aws_ec2_connect_ssh
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0008:T1021.004

Description

AlphaSOC detected a connection to an Elastic Compute Cloud (EC2) instance using EC2 Instance Connect, with potentially suspicious or excessive activity that may indicate unauthorized access or enumeration attempts. This feature allows users to connect to EC2 instances using an SSH connection without sharing SSH keys. While it's a legitimate AWS service, unauthorized or unexpected use could indicate potential compromise.

Impact

Unauthorized use of EC2 Instance Connect can lead to unauthorized access to EC2 instances, potentially compromising the confidentiality, integrity, and availability of data and services hosted on those instances. Threat actors may use EC2 Instance Connect to gain initial access or maintain persistence in the cloud environment, bypassing traditional SSH key management controls. They may also use this method to execute commands, change configurations, or move to other resources within the AWS environment.

Severity

SeverityCondition
Informational
Connection to an EC2 instance
Low
SSH connection attempt using root or specific usernames (kali and pentoo)
Low
High-frequency connection attempts

Investigation and Remediation

Investigate the legitimacy of the EC2 Instance Connect usage by verifying the user identity, time of access, and the specific EC2 instance accessed. Review AWS CloudTrail logs for additional context. If unauthorized access is confirmed, terminate the session, rotate credentials, and conduct a thorough security assessment of the affected instance and connected resources.

Known False Positives

  • Legitimate administrators using EC2 Instance Connect for troubleshooting or maintenance
  • Automated scripts or CI/CD pipelines utilizing EC2 Instance Connect for deployment or configuration management
  • Third-party management tools leveraging EC2 Instance Connect for instance management
  • Developers using EC2 Instance Connect during the development and testing phases of applications