AWS ECS cluster created in multiple regions
Description
AlphaSOC detected the creation of Amazon Elastic Container Service (ECS) clusters across multiple AWS regions within a short time window. While multi-region deployments are common in production environments, rapid ECS cluster creation across regions by a single identity may indicate an attempt to establish unauthorized compute infrastructure for cryptomining, botnet activity, or other malicious workloads.
Impact
Unauthorized ECS cluster creation across regions can incur significant compute costs and may be used to run malicious container workloads at scale. Threat actors with access to valid AWS credentials may exploit ECS to deploy cryptocurrency miners, launch attacks against other targets, or establish persistent footholds across cloud infrastructure. Multi-region operations complicate incident response efforts.
Severity
| Severity | Condition |
|---|---|
Low | ECS clusters created across multiple AWS regions |
Medium | Unexpected multi-region ECS cluster creation |
Investigation and Remediation
Review AWS CloudTrail logs to identify the IAM user or role responsible for the cluster creation events across regions. Verify whether the activity was authorized and consistent with known infrastructure-as-code deployments. Inspect any running tasks or services in the new clusters for malicious container images. If unauthorized, terminate the clusters and associated resources, revoke the compromised credentials, and audit IAM permissions.