Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for AWS EC2

AWS EC2
AWS EC2 icon

Coralogix Extension For AWS EC2 Includes:

Alerts - 10

Stay on top of AWS EC2 key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

VM Export was attempted

Identifies an attempt to export an AWS EC2 instance. Impact A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. Mitigation VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. MITRE Tactic: TA0010 MITRE Technique: T1537

Snapshot attribute was modified

This rule detects if an attempt was made to modify AWS EC2 snapshot attributes. Impact Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. Mitigation If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. MITRE Tactic: TA0010 MITRE Technique: T1537

Network Access Control List was deleted

This rule detects the deletion of an AWS Elastic Compute Cloud (EC2) network access control list (ACL). Impact An adversary may delete a network access control list in order to impact users affect the usual operations in their target's environment. Mitigation Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. MITRE Tactic: TA0005 MITRE Technique: T1562

Network Access Control List was created

This rule detects the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL). Impact An adversary may create a custom network access control list in order to elevate the permissions and persist in their target's environment. Mitigation Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MITRE Tactic: TA0003 MITRE Technique: T1133

Network packet capture was detected

This rule detects potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Impact Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. Mitigation Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. MITRE Tactic: TA0010 MITRE Technique: T1020

Encryption was disabled

This rule detects disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Impact Disabling the default encryption might be an adversary attempt for data infiltration. Mitigation Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. MITRE Tactic: TA0040 MITRE Technique: T1565

Image attribute was modified

This rule detects modification of the specified attribute of the specified AMI. Impact Image attributes are sometimes modified by threat actors in order to exfiltrate data from an EC2 fleet. Mitigation If the attributes were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. MITRE Tactic: TA0005 MITRE Technique: T1562

Serial console access was enabled

This rule detects EC2 serial Console Access enabled in the account for a specific region. Impact The serial console does not require an instance to have any networking capabilities. With the serial console, an attacker can enter commands to an instance as if keyboard and monitor are directly attached to the instance's serial port. Mitigation Make sure the serial console access should be provided to the authenticated and authorized users. MITRE Tactic: TA0004 MITRE Technique: T1078

An existing route was replaced in VPC

This rule detects replacing an existing route within a route table in a VPC. Impact An adversary may replace an existing route in order to impact the flow of network traffic in their target's cloud environment. Mitigation Investigate and verify that the configuration change was expected. MITRE Tactic: TA0005 MITRE Technique: T1562

EC2 Startup Shell Script Changed

This alert triggers when changes to the EC2 instance startup script are made. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. Impact An attacker could modify the script to introduce malicious code, allowing them to: Install malware and backdoors for persistent access. Steal sensitive data or credentials. Disrupt system operations or launch further attacks. Mitigation If the changes are unauthorized, revoke them and investigate further for any malicious activities. MITRE Tactic: TA0002 MITRE Technique: T1059 MITRE Sub-Technique: 001

Integration

Learn more about Coralogix's out-of-the-box integration with AWS EC2 in our documentation.

Read More
Schedule Demo