AWS EC2 instance performed multiple unique API actions
Description
AlphaSOC detected an AWS EC2 instance performing an unusually high number of unique API actions within a short time period. Under normal circumstances, instances perform a limited set of repetitive actions specific to their workload.
When an instance suddenly executes many distinct API actions, it may indicate compromise. Threat actors who gain access to EC2 instances use the assigned IAM role to enumerate AWS resources, discover sensitive data locations, map permissions, and identify targets for lateral movement or privilege escalation. This detection focuses on non-read-only operations that complete successfully.
Impact
Threat actors can perform a variety of API actions on compromised EC2 instances to discover S3 buckets, RDS databases, Lambda functions, IAM roles with elevated privileges and network configurations.
This reconnaissance typically precedes data exfiltration, privilege escalation through role assumption, lateral movement, deployment of malicious infrastructure, or service disruption. Overly permissive roles allow attackers to modify security configurations, access encryption keys, or deploy cryptomining operations. Organizations face data breaches, service disruptions, unexpected costs, and compliance violations.
Severity
| Severity | Condition |
|---|---|
Low | AWS EC2 instance performed multiple unique API actions |
Investigation and Remediation
Review CloudTrail logs to identify the EC2 instance and IAM role generating alerts, focusing on the assumed role ARN and instance ID. Examine the sequence of API actions to understand what services and resources were accessed. Verify whether observed actions align with the instance's intended purpose by consulting the owner or deployment documentation.
If activity appears unauthorized, immediately isolate the instance by modifying
security group rules to block outbound traffic using
aws ec2 modify-instance-attribute. Terminate the compromised instance and
revoke credentials by removing the IAM role.
Review the role's permissions to identify accessible resources and check CloudTrail for privilege escalation attempts or data access. Rotate any secrets or credentials stored on the instance. Investigate the initial compromise by examining VPC Flow Logs, application logs, and software versions. Implement AWS Config rules to monitor overly permissive IAM roles and restrict instance metadata service access using IMDSv2. Deploy endpoint detection solutions on EC2 instances to detect compromise attempts.
Known False Positives
- Newly deployed EC2 instances performing initial setup and configuration tasks across multiple AWS services
- DevOps automation tools or CI/CD pipelines running on EC2 instances that interact with diverse AWS APIs
- Security scanning or compliance auditing tools that enumerate AWS resources from EC2-based agents
- Backup or disaster recovery solutions performing comprehensive resource discovery
- Infrastructure monitoring agents collecting metrics and metadata from multiple AWS services