Skip to main content

AWS EC2 instance interacted with the IAM API

ID:aws_ec2_iam_access
Data type:AWS CloudTrail
Severity:
Low
-
Medium
MITRE ATT&CK:TA0004:T1098

Description

AlphaSOC detected an AWS Elastic Compute Cloud (EC2) instance interacting with the Identity and Access Management (IAM) API. This activity could indicate that a threat actor is using stolen credentials to move laterally within AWS IAM resources. Using the IAM API, they can manage temporary credentials for applications running on an EC2 instances to create backdoor accounts or modify existing privileges. Actions initiated by AWS services and AWS service roles assumed by an EC2 instances are exempt from the detection to avoid false positives.

Impact

Unauthorized IAM API interactions can lead to severe security implications, including privilege escalation, creation of rogue admin accounts, and modification of existing permissions. This could result in unauthorized access to sensitive AWS resources, data breaches, or complete compromise of the AWS environment. The threat actor might gain persistent access, making it challenging to detect and remove their presence.

Severity

SeverityCondition
Low
AWS EC2 instance interacted with IAM API
Medium
Unexpected region, ASN or user agent

Investigation and Remediation

Investigate the role of the EC2 instance role and purpose to determine if IAM API access is expected. Review CloudTrail logs to identify specific IAM actions performed. If unauthorized, immediately revoke the instance's IAM permissions, terminate the instance if compromised, and conduct a thorough security audit.