Multiple EC2 instances were terminated in an anomalous way
Description
AlphaSOC detected multiple AWS EC2 instances terminated unexpectedly. This activity indicates potential unauthorized access to AWS resources and disruption of cloud infrastructure operations.
Impact
Termination of EC2 instances can cause service outages and business disruption. When EC2 instances terminate, attached EBS volumes may delete automatically depending on their configuration, leading to permanent data loss. Attackers use instance termination to destroy evidence, disrupt operations, or as part of a larger attack campaign.
Severity
Severity | Condition |
---|---|
Low | Multiple EC2 instances terminated unexpectedly |
Investigation and Remediation
Review AWS CloudTrail logs to identify the source of the termination commands. Check for unauthorized access to AWS accounts or compromised credentials. Verify that the terminations were part of planned maintenance or authorized actions. If malicious activity is confirmed, revoke compromised credentials and, if necessary, restore the instances.
Known False Positives
- Planned maintenance activities