Connection to an EC2 instance using EC2 Instance Connect
Description
AlphaSOC detected a connection to an Elastic Compute Cloud (EC2) instance using EC2 Instance Connect, with potentially suspicious or excessive activity that may indicate unauthorized access or enumeration attempts. This feature allows users to connect to EC2 instances using an SSH connection without sharing SSH keys. While it's a legitimate AWS service, unauthorized or unexpected use could indicate potential compromise.
Impact
Unauthorized use of EC2 Instance Connect can lead to unauthorized access to EC2 instances, potentially compromising the confidentiality, integrity, and availability of data and services hosted on those instances. Threat actors may use EC2 Instance Connect to gain initial access or maintain persistence in the cloud environment, bypassing traditional SSH key management controls. They may also use this method to execute commands, change configurations, or move to other resources within the AWS environment.
Severity
Severity | Condition |
---|---|
Informational | Connection to an EC2 instance |
Low | SSH connection attempt using root or specific usernames (kali and pentoo) |
Low | High-frequency connection attempts |
Investigation and Remediation
Investigate the legitimacy of the EC2 Instance Connect usage by verifying the user identity, time of access, and the specific EC2 instance accessed. Review AWS CloudTrail logs for additional context. If unauthorized access is confirmed, terminate the session, rotate credentials, and conduct a thorough security assessment of the affected instance and connected resources.
Known False Positives
- Legitimate administrators using EC2 Instance Connect for troubleshooting or maintenance
- Automated scripts or CI/CD pipelines utilizing EC2 Instance Connect for deployment or configuration management
- Third-party management tools leveraging EC2 Instance Connect for instance management
- Developers using EC2 Instance Connect during the development and testing phases of applications