Unexpected AWS EC2 instance launch
Description
AlphaSOC detected an AWS Elastic Cloud Compute (EC2) instance that was launched in an unexpected way, potentially indicating unauthorized or malicious activity. This finding indicates that the instance was launched from an unexpected ASN or by an unexpected user agent, which could be used by the threat actor to gain access to AWS credentials or exploit misconfigurations in the cloud environment. EC2 instance launches initiated by AWS services are exempt from detection to avoid false positives.
Impact
An unexpectedly launched EC2 instance can have significant consequences for an organization's cloud security. Threat actors can create new EC2 instances to gain unauthorized access to sensitive data, move laterally within the cloud environment, increase the cost of cloud usage, or use it as a platform for further attacks. The compromised instance could also be used to exfiltrate data or launch attacks on other systems, both inside and outside the organization's network.
Severity
Severity | Condition |
---|---|
Low | EC2 instance launched by a client IP within an unexpected ASN |
Low | EC2 instance launched by a client with an unexpected user agent |
Investigation and Remediation
Investigate the EC2 instance's launch details, including the responsible user or IAM role, instance type, and any associated metadata. Review CloudTrail logs for any suspicious activity prior to the launch. If determined to be malicious, immediately isolate the instance, revoke the associated IAM credentials, and terminate the instance.