AWS SSM association targeting all EC2 instances
Description
AlphaSOC detected an AWS Systems Manager (SSM) association configured to target all EC2 instances in the environment. SSM associations allow running documents (scripts and commands) across managed instances. Targeting all instances may indicate an attacker attempting to execute malicious code across the entire infrastructure.
Impact
An SSM association targeting all instances can be used to execute arbitrary commands across the entire fleet of managed EC2 instances simultaneously. This could enable widespread malware deployment, data collection, or configuration changes that establish persistent access across the environment.
Severity
| Severity | Condition |
|---|---|
Low | SSM association created targeting all EC2 instances |
Investigation and Remediation
Review the SSM association details including the document being executed and its parameters. Identify the identity that created the association and verify it was authorized. Check the execution history for signs of malicious activity. If unauthorized, delete the association and investigate affected instances.
Known False Positives
- Legitimate fleet-wide configuration management
- Patch management deployments across all instances
- Security agent deployment or updates