Anomalous amount of access denied events for AWS EC2 Instance

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.

Strategy

Monitor CloudTrail logs to identify when an EC2 instance (@userIdentity.session_name:i-*") generates an anomalous amount of AccessDenied events.

Triage and response

  1. Determine what events the EC2 instance {{@userIdentity.session_name}} are generating in the time frame of the signal.
  2. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.