Anomalous amount of Autoscaling Group events

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect when an attacker is attempting to hijack an EC2 AutoScaling Group.

Strategy

This rule lets you monitor AWS EC2 Autoscaling logs (@eventSource:autoscaling.amazonaws.com) to detect when an Autoscaling group receives an anomalous amount of API calls ({{@evt.name}}).

Triage and response

  1. Confirm if the user {{@userIdentity.arn}} intended to make the {{@evt.name}} API calls.
  2. If the user did not make the API calls:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.