Skip to main content

Multiple EC2 instances were terminated in an anomalous way

ID:aws_ec2_termination_anomaly
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0005:T1578.003

Description

AlphaSOC detected multiple AWS EC2 instances terminated unexpectedly. This activity indicates potential unauthorized access to AWS resources and disruption of cloud infrastructure operations.

Impact

Termination of EC2 instances can cause service outages and business disruption. When EC2 instances terminate, attached EBS volumes may delete automatically depending on their configuration, leading to permanent data loss. Attackers use instance termination to destroy evidence, disrupt operations, or as part of a larger attack campaign.

Severity

SeverityCondition
Low
Multiple EC2 instances terminated unexpectedly

Investigation and Remediation

Review AWS CloudTrail logs to identify the source of the termination commands. Check for unauthorized access to AWS accounts or compromised credentials. Verify that the terminations were part of planned maintenance or authorized actions. If malicious activity is confirmed, revoke compromised credentials and, if necessary, restore the instances.

Known False Positives

  • Planned maintenance activities