Closed NickCorcoran closed 1 month ago
NickCorcoran
commented
1 month ago Some investigation into GuardDuty error needed. Just need to alert and investigate on - build runbook on this type of event. Potential 3rd party use of creds - what did they do with them during that timeframe?
NickCorcoran
commented
1 month ago NickCorcoran
commented
1 month ago This will require education for teams on these types of events. PICEREL process.
NickCorcoran
commented
1 month ago This alert is warning about a potential security issue with an Amazon EC2 instance (a virtual server in Amazon's cloud). Here's a simple explanation: 1) "Alert on EC2 instance creds being used from another account" - This means someone is using login credentials for an EC2 server, but they're using them from a different AWS account than expected. 2) "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltrationOutsideAWS" - This is the specific type of alert. It suggests that someone may have taken EC2 instance credentials and is using them from outside of AWS, which isn't allowed. 3) "guardduty finding" - GuardDuty is AWS's threat detection service. It found this suspicious activity.
For a junior to investigate: 1) Check which EC2 instance is involved 2) Review recent access logs for that instance 3) Verify if any authorized activities explain this alert 4) If not, consider changing the instance's credentials immediately 5) Look into the "other account" that's trying to use these credentials 6) Report findings to the security team
This could be a false alarm, but it's important to treat it seriously as it may indicate someone is trying to improperly access your AWS resources.
ThibaultBC
commented
1 month ago Not needed, security hub generate the alerts
Importance and Impact EC2 instance credentials are the temporary credentials made available through the EC2 metadata service. When your workloads deployed on EC2 instances access AWS services, they use an access key, a secret access key, and a session token. The secure mechanism to pass access key credentials to your workloads is to define the permissions required by your workload. If the application running on the EC2 instance is compromised and a malicious actor managed to access the instance’s meta data service. The malicious actor would extract the credentials.
Recommendations Implement mechanisms to generate alert when when a misuse of EC2 instance credentials is detected or are used from an affiliated account. Attackers may extract credentials when they have remote code execution (RCE), local presence on the instance, or by exploiting application-level vulnerabilities like Server Side Request Forgery (SSRF) and XML External Entity (XXE) injection. There are multiple methods to mitigate RCE or local access, including rebuilding the instances from a secured and patched AMI to eliminate remote access, rotate access credentials, and so on.