Quick Start Security for AWS EC2
Thank you!
We got your information.
Coralogix Extension For AWS EC2 Includes:
Alerts - 10
Stay on top of AWS EC2 key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
VM Export was attempted
Identifies an attempt to export an AWS EC2 instance. Impact A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. Mitigation VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. MITRE Tactic: TA0010 MITRE Technique: T1537
Snapshot Attribute Was Modified
This rule detects if an attempt was made to modify AWS EC2 snapshot attributes. Impact Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. Mitigation If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. MITRE Tactic: TA0010 MITRE Technique: T1537
Network Access Control List was deleted
This rule detects the deletion of an AWS Elastic Compute Cloud (EC2) network access control list (ACL). Impact An adversary may delete a network access control list in order to impact users affect the usual operations in their target's environment. Mitigation Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. MITRE Tactic: TA0005 MITRE Technique: T1562
Network Access Control List was created
This rule detects the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL). Impact An adversary may create a custom network access control list in order to elevate the permissions and persist in their target's environment. Mitigation Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MITRE Tactic: TA0003 MITRE Technique: T1133
Network packet capture was detected
This rule detects potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Impact Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. Mitigation Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. MITRE Tactic: TA0010 MITRE Technique: T1020
EBS Encryption was disabled
This rule detects disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Impact Disabling the default encryption might be an adversary attempt for data infiltration. Mitigation Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. MITRE Tactic: TA0040 MITRE Technique: T1565
Image Attribute Was Modified
This rule detects modification of the specified attribute of the specified AMI. Impact Image attributes are sometimes modified by threat actors in order to exfiltrate data from an EC2 fleet. Mitigation If the attributes were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. MITRE Tactic: TA0005 MITRE Technique: T1562
Serial console access was enabled
This rule detects EC2 serial Console Access enabled in the account for a specific region. Impact The serial console does not require an instance to have any networking capabilities. With the serial console, an attacker can enter commands to an instance as if keyboard and monitor are directly attached to the instance's serial port. Mitigation Make sure the serial console access should be provided to the authenticated and authorized users. MITRE Tactic: TA0004 MITRE Technique: T1078
An existing route was replaced in VPC
This rule detects replacing an existing route within a route table in a VPC. Impact An adversary may replace an existing route in order to impact the flow of network traffic in their target's cloud environment. Mitigation Investigate and verify that the configuration change was expected. MITRE Tactic: TA0005 MITRE Technique: T1562
EC2 Startup Shell Script Changed
This alert triggers when changes to the EC2 instance startup script are made. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. Impact An attacker could modify the script to introduce malicious code, allowing them to: Install malware and backdoors for persistent access. Steal sensitive data or credentials. Disrupt system operations or launch further attacks. Mitigation If the changes are unauthorized, revoke them and investigate further for any malicious activities. MITRE Tactic: TA0002 MITRE Technique: T1059 MITRE Sub-Technique: 001
Integration
Learn more about Coralogix's out-of-the-box integration with AWS EC2 in our documentation.