Skip to main content

AWS EC2 instance launches in multiple regions

ID:aws_ec2_launch_multi_region
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0005:T1578.002

Description

AlphaSOC detected a launch of Amazon Elastic Compute Cloud (EC2) instances across multiple AWS regions. This activity could indicate an attempt to expand infrastructure for legitimate purposes or a potential security threat. EC2 instances launched by AWS services are exempt from the detection to avoid false positives.

Impact

Multi-region EC2 instance launches may indicate an attempt by a threat actor to establish a widespread presence in the cloud environment, potentially leading to data exfiltration, resource abuse, or serving as a launching pad for further attacks. This activity can also result in unexpected costs and complicate security monitoring and management efforts.

Severity

SeverityCondition
Low
EC2 instances launched in multiple regions

Investigation and Remediation

Investigate the EC2 instances launch details, including the responsible user or IAM role and any associated metadata. Review CloudTrail logs for any suspicious activity prior to the launch. If determined to be malicious, immediately isolate the instance, revoke the associated IAM credentials, and terminate the instance.

Known False Positives

  • Third-party services or partners with authorized access launching instances in various regions