Skip to main content

Suspicious AWS API calls indicating ECS cluster creation

ID:aws_ecs_create_cluster_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0003:T1098

Description

AlphaSOC detected the creation of an Amazon Elastic Container Service (ECS) cluster. While ECS clusters are commonly used for legitimate container orchestration, unauthorized or unexpected cluster creation could indicate potential malicious activity. ECS clusters created by AWS services and known IaC tools are exempt from the detection to avoid false positives.

Impact

An unauthorized ECS cluster may be used to run malicious containers. Such clusters can consume resources, potentially leading to increased costs and reduced performance for legitimate workloads. They may also bypass existing security controls, making detection of malicious activities more challenging.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Investigate the ECS cluster creation by reviewing AWS CloudTrail logs to identify the user or role responsible. Verify if the creation was authorized. If unauthorized, immediately isolate and delete the cluster. Investigate any associated IAM roles, task definitions, and services for potential compromise. Review network traffic and container images for signs of malicious activity.