Multiple AWS EC2 instances launched unexpectedly
Description
AlphaSOC detected the creation of multiple Elastic Compute Cloud (EC2) instances
in the AWS environment. The RunInstances API call launches new EC2 instances with
specified configurations. This finding indicates that threat actors may have
launched unauthorized instances to establish infrastructure for malicious activities.
Impact
Unauthorized EC2 instance creation can lead to resource exploitation and potential compromise of the AWS environment. Threat actors can use these instances for cryptocurrency mining or as a launching pad for additional attacks within the infrastructure.
Severity
| Severity | Condition |
|---|---|
Low | Multiple EC2 instances launched within a brief timeframe |
Medium | EC2 instances launched by a client within unexpected ASN or region, or accompanied by an unexpected action |
Investigation and Remediation
Review AWS CloudTrail logs to identify the IAM user, source IP address, and instance configurations. Analyze instance types, AMIs, and network settings for unexpected patterns. If unauthorized activity is confirmed, terminate affected instances and revoke IAM permissions.