AWS EC2 instance launches in multiple regions
Description
AlphaSOC detected a launch of Amazon Elastic Compute Cloud (EC2) instances across multiple AWS regions. This activity could indicate an attempt to expand infrastructure for legitimate purposes or a potential security threat. EC2 instances launched by AWS services are exempt from the detection to avoid false positives.
Impact
Multi-region EC2 instance launches may indicate an attempt by a threat actor to establish a widespread presence in the cloud environment, potentially leading to data exfiltration, resource abuse, or serving as a launching pad for further attacks. This activity can also result in unexpected costs and complicate security monitoring and management efforts.
Severity
Severity | Condition |
---|---|
Low | EC2 instances launched in multiple regions |
Investigation and Remediation
Investigate the EC2 instances launch details, including the responsible user or IAM role and any associated metadata. Review CloudTrail logs for any suspicious activity prior to the launch. If determined to be malicious, immediately isolate the instance, revoke the associated IAM credentials, and terminate the instance.
Known False Positives
- Third-party services or partners with authorized access launching instances in various regions