Anomalous amount of Autoscaling Group events

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when an attacker is attempting to hijack an EC2 AutoScaling Group.

Strategy

This rule lets you monitor AWS EC2 Autoscaling logs (@eventSource:autoscaling.amazonaws.com) to detect when an Autoscaling group receives an anomalous amount of API calls ({{@evt.name}}).

Triage and response

  1. Confirm if the user {{@userIdentity.arn}} intended to make the {{@evt.name}} API calls.
  2. If the user did not make the API calls:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.