Unusual AWS enumeration event from EC2 instance

Goal

Detect when a previously unseen EC2 instance enumerates resources within AWS.

Strategy

This rule lets you monitor Amazon EC2 instances to detect when any Get, List, or Describe API call is observed. It does this by inspecting the EC2 instance roles (@userIdentity.assumed_role) performing actions within your AWS account over a 7-day window. Newly detected instance roles after this 7-day window will generate security signals.

Triage and response

  1. Determine whether the activity from the role: {{@userIdentity.assumed_role}} attached to EC2 instance: {{@host}} is expected.
  2. If the action is legitimate, consider including the EC2 instance in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If the action shouldn’t have been happened:
    • Contact the owner of the instance: {{@host}} and see if they made the API call.
    • Use the Host Investigation dashboard to see if the host: {{@host}} has taken other actions.
    • Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP: {{@network.client.ip}}.
  4. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process as well as an investigation.