Skip to main content

A large AWS EC2 instance launch with an unusual instance type

ID:aws_ec2_launch_new_type
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0005:T1578.002

Description

AlphaSOC detected a launch of a large AWS Elastic Compute Cloud (EC2) instance with an unusual instance type by a user with no recent history of such activity. This activity could indicate an attempt to exploit cloud resources for malicious purposes. EC2 instances launched by AWS services and new accounts are exempt from the detection to avoid false positives.

Impact

Launching unusual EC2 instances can lead to significant security and financial risks. Threat actors may launch unusual or oversized instances to perform resource-intensive tasks, such as cryptocurrency mining, or to establish a foothold in the cloud environment for further malicious activities. This can result in unexpected costs, data breaches, and potential compromise of other cloud resources connected to the affected AWS account.

Severity

SeverityCondition
Low
Large EC2 instance launched with an unusual instance type

Investigation and Remediation

Investigate the EC2 instance's launch details, including the responsible user or IAM role, instance type, and any associated metadata. Review CloudTrail logs for any suspicious activity prior to the launch. If determined to be malicious, immediately isolate the instance, revoke the associated IAM credentials, and terminate the instance.

Known False Positives

  • Legitimate testing or development activities requiring large and non-standard instance types
  • Misconfiguration of auto-scaling groups leading to unintended instance launches
  • Automated infrastructure-as-code deployments testing various instance configurations