AWS ECS task with credential query
Description
AlphaSOC detected an AWS ECS task querying the EC2 Instance Metadata Service (IMDS) to retrieve temporary IAM credentials. While containerized workloads legitimately use IMDS to obtain role credentials, this behavior from an unexpected context may indicate that an attacker with container access is attempting to escalate privileges by harvesting the associated IAM role's credentials.
Impact
Temporary credentials obtained via IMDS can be exfiltrated and used to authenticate to AWS APIs from outside the cloud environment, enabling an attacker to pivot from a compromised container to the broader AWS infrastructure. Depending on the IAM role permissions attached to the ECS task, an attacker may gain access to S3 buckets, secrets, databases, or other AWS resources, potentially leading to data exfiltration or infrastructure compromise.
Severity
| Severity | Condition |
|---|---|
Low | ECS task credential query from an unexpected source |
Medium | Anomalous ECS task credential query |
Investigation and Remediation
Identify the ECS task and cluster involved by reviewing CloudTrail logs and ECS task metadata. Determine which IAM role is associated with the task and review its permissions. If compromise is suspected, rotate credentials and investigate the container for malicious processes.