Possible AWS EC2 privilege escalation via the modification of user data

Goal

Detect a user attempting to modify a user data script on an EC2 instance.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have modified the user data script associated with {{host}}.
  2. If the API calls were not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Follow your company’s incident response process to determine the impact to {{host}}.
  • Revert the user data script to the last known good state with the aws-cli command modify-instance-attribute or use the AWS Console.
  1. If the API calls were made by the user:
  • Determine if the user should be modifying this user data script.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.