AWS EC2 instance launch in a new region
Description
AlphaSOC detected a launch of Amazon Elastic Compute Cloud (EC2) instances in a previously unseen AWS region. This activity could indicate an expansion of legitimate cloud infrastructure, but it may also signify unauthorized access or an attempt to evade detection. EC2 instances luanched by AWS services and trusted accounts, CloudTrail logs with no specified region, and failed attempts to launch an EC2 instance are exempt from the detection to avoid false positives.
Impact
Launching EC2 instances in a new region can be exploited by threat actors to establish persistence, bypass security controls, or hide malicious activities from security teams unfamiliar with the organization's normal operational footprint. It can result in unauthorized resource usage, data exfiltration, or serve as a staging ground for further attacks.
Severity
Severity | Condition |
---|---|
Medium | EC2 instances launched in a new or unexpected region |
Investigation and Remediation
Investigate the EC2 instance's launch details, including the responsible user or IAM role, instance types, and any associated metadata. Review CloudTrail logs for any suspicious activity prior to the launch. If determined to be malicious, immediately isolate the instance, revoke the associated IAM credentials, and terminate the instance.
Known False Positives
- Misconfiguration of infrastructure-as-code tools deploying resources to unintended regions