Skip to main content

AWS EC2 credential used from an unknown external location

ID:aws_ec2_credential_external_location
Data type:AWS CloudTrail
Severity:
High

Description

AlphaSOC detected the use of an EC2 credential from a requesting IP address outside of the AWS ranges. This activity could indicate that AWS credentials have been compromised and are being used from an unauthorized location. Threat actors often use stolen credentials to access cloud resources, potentially resulting in data breaches or lateral movement within the AWS environment.

Impact

Connections from unexpected IP ranges may result in unauthorized access, data exfiltration, or further compromise of the EC2 instance and associated resources. The adversary could use the EC2 instance as a stepping stone for lateral movement within the AWS environment.

Severity

SeverityCondition
High
EC2 credential used from an IP address outside of AWS ranges

Investigation and Remediation

Review EC2 instance logs, CloudTrail logs, and VPC flow logs to identify the source and nature of the connection. If unauthorized access is confirmed, isolate the instance, revoke active sessions, rotate credentials, and patch any vulnerabilities. Consider forensic analysis to determine the extent of the compromise.