AWS EC2 instance unexpectedly listed S3 buckets
Description
AlphaSOC detected an EC2 instance listing S3 buckets in an unexpected manner. This may indicate that an EC2 instance has been compromised and the attacker is performing reconnaissance to identify accessible storage resources for data exfiltration or further exploitation.
Impact
S3 bucket enumeration from a compromised EC2 instance can reveal storage resources containing sensitive data. Attackers may use instance metadata credentials to access buckets, leading to data theft or manipulation. This activity often precedes targeted data exfiltration attempts.
Severity
| Severity | Condition |
|---|---|
Low | EC2 instance unexpectedly listed S3 buckets |
Investigation and Remediation
Investigate the EC2 instance for signs of compromise. Review the instance's IAM role permissions and recent API activity. Check for malware, unauthorized SSH access, or compromised applications. If compromise is confirmed, isolate the instance, investigate data access patterns, and consider terminating and reimaging.
Known False Positives
- Legitimate applications that interact with multiple S3 buckets
- Backup or synchronization tools running on EC2 instances