Anomalous amount of Autoscaling Group events

cloudtrail
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an attacker is attempting to hijack an EC2 AutoScaling Group.

Strategy

This rule lets you monitor AWS EC2 Autoscaling logs (@eventSource:autoscaling.amazonaws.com) to detect when an Autoscaling group receives an anomalous amount of API calls ({{@evt.name}}).

Triage and response

  1. Confirm if the user {{@userIdentity.arn}} intended to make the {{@evt.name}} API calls.
  2. If the user did not make the API calls:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.