Enumeration of EC2 instance startup scripts
Description
AlphaSOC detected an enumeration of Elastic Compute Cloud (EC2) instance startup scripts. This activity involves attempts to systematically gather information about AWS resources, configurations, or services in an account, or to access or retrieve the user data scripts associated with EC2 instances. Startup scripts often contain sensitive information such as credentials, configuration details, or other valuable data that can be targeted by threat actors. Actions initiated by AWS services and known security tools are exempt from the detection to avoid false positives.
Impact
Successful enumeration of EC2 instance startup scripts can provide threat actors with critical information about the infrastructure, potentially leading to unauthorized access, data leakage, or further compromise. Threat actors can use the information gained to tailor their attacks, move laterally within the environment, or escalate privileges.
Severity
Severity | Condition |
---|---|
Informational | Excessive enumeration attempts of EC2 instance startup scripts |
Investigation and Remediation
Investigate the source and scope of the enumeration activity. Review logs to identify the specific EC2 instances targeted and the origin of the requests. Verify if any sensitive information was exposed in the startup scripts. If unauthorized access is confirmed, rotate any compromised credentials, update affected configurations, and patch vulnerabilities.
Known False Positives
- Legitimate system administrators accessing different startup scripts on different instances for troubleshooting or maintenance purposes