High volume of AWS EC2 instances created with api termination disabled
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects when a user creates a high volume of EC2 instances and disables API termination protection on multiple instances.
Strategy
This rule monitors AWS CloudTrail logs for suspicious EC2 instance creation and configuration patterns. It triggers when it detects more than 10 RunInstances events containing @requestParameters.userData, combined with more than 10 ModifyInstanceAttribute events that set @requestParameters.disableApiTermination.value to true.
Disabling API termination prevents instances from being terminated through the AWS API, making it more difficult to shut down unauthorized compute resources. This pattern is commonly associated with resource hijacking attacks, where adversaries create multiple instances for cryptomining and enable termination protection to maintain persistence.
Triage & Response
- Examine the EC2 instances launched by
{{@userIdentity.arn}} to verify if the instance creation pattern and volume align with legitimate business operations. - Review the
userData scripts associated with the launched instances to determine if they contain malicious code or cryptomining software. - Check the instance types, regions, and configurations to identify if they match expected organizational infrastructure patterns.
- Analyze recent authentication activity for the identity to determine if the account may have been compromised.
- Verify if the API termination protection changes were authorized and have a legitimate operational justification.
- Review billing and cost data for unusual spikes in EC2 compute charges that would indicate resource hijacking.
