---
title: Anomalous amount of access denied events for AWS EC2 Instance
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Anomalous amount of access denied
  events for AWS EC2 Instance
---

# Anomalous amount of access denied events for AWS EC2 Instance
Classification:attackTactic:[TA0007-discovery](https://attack.mitre.org/tactics/TA0007)Technique:[T1069-permission-groups-discovery](https://attack.mitre.org/techniques/T1069) 
## Goal{% #goal %}

Detect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.

## Strategy{% #strategy %}

Monitor CloudTrail logs to identify when an EC2 instance (`@userIdentity.session_name:i-*"`) generates an anomalous amount of `AccessDenied` events.

## Triage and response{% #triage-and-response %}

1. Determine what events the EC2 instance `{{@userIdentity.session_name}}` are generating in the time frame of the signal.
1. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.