AWS EC2 credential used from an unknown external location
Description
AlphaSOC detected the use of an EC2 credential from a requesting IP address outside of the AWS ranges. This activity could indicate that AWS credentials have been compromised and are being used from an unauthorized location. Threat actors often use stolen credentials to access cloud resources, potentially resulting in data breaches or lateral movement within the AWS environment.
Impact
Connections from unexpected IP ranges may result in unauthorized access, data exfiltration, or further compromise of the EC2 instance and associated resources. The adversary could use the EC2 instance as a stepping stone for lateral movement within the AWS environment.
Severity
Severity | Condition |
---|---|
High | EC2 credential used from an IP address outside of AWS ranges |
Investigation and Remediation
Review EC2 instance logs, CloudTrail logs, and VPC flow logs to identify the source and nature of the connection. If unauthorized access is confirmed, isolate the instance, revoke active sessions, rotate credentials, and patch any vulnerabilities. Consider forensic analysis to determine the extent of the compromise.