AWS EC2 instances unexpectedly described in multiple regions
Description
AlphaSOC detected attempts to enumerate Elastic Compute Cloud (EC2) instances
across multiple AWS regions. The DescribeInstances API call retrieves detailed
information about EC2 instances in a specific region. This finding may indicate
that a threat actor attempted to discover cloud infrastructure by querying instance
details across different geographical regions.
Impact
Multi-region instance enumeration enables adversaries to map AWS infrastructure layout, identify potential targets, and gather intelligence about system deployments. This reconnaissance activity can precede more targeted attacks against discovered resources.
Severity
| Severity | Condition |
|---|---|
Low | Excessive EC2 instances description across multiple regions |
Medium | EC2 instances described by a client within an unexpected ASN or accompanied by an unexpected action |
Investigation and Remediation
Review AWS CloudTrail logs to identify the IAM user, source IP address, and
targeted regions. Analyze the pattern and frequency of DescribeInstances API
calls. If unauthorized activity is confirmed, restrict IAM permissions,
implement region boundaries, and enhance monitoring of cross-region API
activities.