AWS API calls indicating ECS cluster creation
Description
AlphaSOC detected the creation of an Amazon Elastic Container Service (ECS) cluster. While ECS clusters are commonly used for legitimate container orchestration, unauthorized or unexpected cluster creation could indicate potential malicious activity. ECS clusters created by AWS services and known IaC tools are exempt from the detection to avoid false positives.
Impact
An unauthorized ECS cluster may be used to run malicious containers. Such clusters can consume resources, potentially leading to increased costs and reduced performance for legitimate workloads. They may also bypass existing security controls, making detection of malicious activities more challenging.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the ECS cluster creation by reviewing AWS CloudTrail logs to identify the user or role responsible. Verify if the creation was authorized. If unauthorized, immediately isolate and delete the cluster. Investigate any associated IAM roles, task definitions, and services for potential compromise. Review network traffic and container images for signs of malicious activity.