Connection to multiple AWS EC2 instances using EC2 Instance Connect
Description
AlphaSOC detected a connection to an Elastic Compute Cloud (EC2) instance using EC2 Instance Connect, with potentially suspicious or excessive activity that may indicate unauthorized access or enumeration attempts. This feature allows users to connect to EC2 instances using an SSH connection without sharing SSH keys. While it's a legitimate AWS service, unauthorized or unexpected use could indicate potential compromise.
Impact
Unauthorized use of EC2 Instance Connect can lead to unauthorized access to EC2 instances, potentially compromising the confidentiality, integrity, and availability of data and services hosted on those instances. Threat actors may use EC2 Instance Connect to gain initial access or maintain persistence in the cloud environment, bypassing traditional SSH key management controls. They may also use this method to execute commands, change configurations, or move to other resources within the AWS environment.
Severity
| Severity | Condition |
|---|---|
Informational | Connection to an EC2 instance |
Low | SSH connection attempt specific usernames (e.g. root, kali) |
Low | High-frequency connection attempts |
Investigation and Remediation��
Investigate the legitimacy of the EC2 Instance Connect usage by verifying the user identity, time of access, and the specific EC2 instance accessed. Review AWS CloudTrail logs for additional context. If unauthorized access is confirmed, terminate the session, rotate credentials, and conduct a thorough security assessment of the affected instance and connected resources.