EC2 instance used for malicious botnet operations

Set up the network integration.


A workload established an unusual amount of outbound connections to the Internet using SSH (TCP port 22).

Malware that infects cloud workloads typically uses victim workloads to spread their infections further. Resources containing a large volume of outbound connections can impact resource availability.


  1. Review the destination IP addresses. Determine if the host is expected to make outbound SSH connections.
  2. Review the associated vulnerabilities and misconfigurations on the resource to determine the root cause for the compromise
  3. Patch or fix the vulnerabilities and misconfigurations on the relevant infrastructure deployment mechanism (Terraform, helm, etc) or apply the most recent software patch available to prevent future continual compromise.
  4. Reference the AWS Incident Response Guide for further guidance.

This detection is based on data from Network Performance Monitoring.