AWS EC2 password enumeration
Description
AlphaSOC detected repeated calls to the AWS Elastic Compute Cloud (EC2)
GetPasswordData API action, which is used to retrieve encrypted Windows
administrator password data from EC2 instances. This activity indicates
potential password enumeration attempts targeting Windows EC2 instances.
Impact
Adversaries who successfully obtain EC2 instance passwords gain administrative access to Windows servers, enabling lateral movement, data theft, and deployment of additional malware or backdoors. Compromised instances can serve as pivot points for attacks against other resources within the AWS environment.
Severity
| Severity | Condition |
|---|---|
Low | AWS EC2 password enumeration |
Investigation and Remediation
Review AWS CloudTrail logs to identify the IAM user, role, or principal making
the GetPasswordData calls. Analyze the source IP addresses, user agents, and
timing patterns of the requests. Examine the targeted EC2 instances for signs of
compromise or unauthorized access. If unauthorized activity is confirmed,
immediately rotate affected passwords and implement stronger access controls
such as AWS Systems Manager Session Manager for secure server access.