AWS EC2 Instance Credential Exfiltrated
Dash が新機能を発表!インシデントマネジメント、Continuous Profiler など多数の機能が追加されました! Dash イベントで発表された新機能!
<  Back to rules search

AWS EC2 Instance Credential Exfiltrated

guardduty

Classification:

threat-intel

Set up the guardduty integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Overview

Goal

Detect when an AWS API call is made from a non EC2 IP for a credential which is scoped to an EC2 Instance.

Strategy

This rule lets you monitor this GuardDuty integration finding:

Triage & Response

  1. Determine the EC2 instance this credential is scoped to. This can be found in the samples.
  2. Determine if the EC2 instance credentials are compromised.
  3. If the instance is compromised:
    • Review the AWS documentation on remediating a compromised EC2 instance.