AWS EC2 User Data Retrieval for EC2 Instance
Identifies discovery request DescribeInstanceAttribute with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is a New Terms rule that identifies the first time an IAM user or role requests the user data for a specific EC2 instance.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/04/14"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2025/07/10"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies discovery request DescribeInstanceAttribute with the attribute userData and instanceId in AWS CloudTrail
11logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to
12gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is
13a New Terms rule that identifies the first time an IAM user or role requests the user data for a specific EC2 instance.
14"""
15from = "now-6m"
16interval = "5m"
17index = ["filebeat-*", "logs-aws.cloudtrail-*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "AWS EC2 User Data Retrieval for EC2 Instance"
21note = """
22## Triage and Analysis
23
24### Investigating AWS EC2 User Data Retrieval for EC2 Instance
25
26This rule detects requests to retrieve the `userData` attribute of an EC2 instance using the `DescribeInstanceAttribute` API action. The `userData` field can contain sensitive information, such as hardcoded credentials or configuration scripts, that adversaries may exploit for further attacks.
27
28#### Possible Investigation Steps
29
30- **Identify the Target Instance**:
31 - **Instance ID**: Review the `aws.cloudtrail.flattened.request_parameters.instanceId` field to identify the EC2 instance targeted by the request. Confirm whether this instance should expose its `userData` and whether it is associated with sensitive workloads.
32 - **Analyze userData**: If possible, retrieve and inspect the `userData` field to identify sensitive information like hardcoded credentials or configuration scripts.
33
34- **Review User Context**:
35 - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to identify the user or role that executed the `DescribeInstanceAttribute` action. Investigate whether this user typically performs such actions.
36 - **Access Patterns**: Validate whether the user or role has the necessary permissions and whether the frequency of this action aligns with expected behavior.
37 - **Access Key ID**: Check the `aws.cloudtrail.user_identity.access_key_id` field to determine the key used to make the request as it may be compromised.
38 - **Source IP and Geolocation**: Check the `source.address` and `source.geo` fields to validate whether the request originated from a trusted location or network. Unexpected geolocations can indicate adversarial activity.
39 - **User Agent**: Inspect the `user_agent.original` field to determine the tool or client used (e.g., Terraform, AWS CLI). Legitimate automation tools may trigger this activity, but custom or unknown user agents may indicate malicious intent.
40
41- **Check for Related Activity**:
42 - **IAM Changes**: Correlate this event with any IAM changes or temporary credential creation to identify potential privilege escalation attempts.
43 - **API Usage**: Look for other unusual API calls (e.g., `RunInstances`, `GetObject`, `AssumeRole`) by the same user or IP to detect lateral movement or data exfiltration attempts.
44
45- **Validate Intent**:
46 - **Permissions and Justification**: Ensure that the user has the least privilege required to perform this action. Investigate whether there is a valid reason for accessing the `userData` field.
47
48### False Positive Analysis
49
50- **Automation**: This event is often triggered by legitimate automation tools, such as Terraform or custom scripts, that require access to `userData` during instance initialization.
51- **Maintenance Activity**: Verify whether this event aligns with expected administrative activities, such as debugging or instance configuration updates.
52
53### Response and Remediation
54
55- **Revoke Excessive Permissions**: If unauthorized, immediately remove `DescribeInstanceAttribute` permissions from the user or role.
56- **Quarantine the Target Instance**: If malicious behavior is confirmed, isolate the affected EC2 instance to limit further exposure.
57- **Secure User Data**:
58 - Avoid storing sensitive information, such as credentials, in `userData`. Use AWS Secrets Manager or Parameter Store instead.
59 - Encrypt user data and ensure only authorized users can decrypt it.
60- **Audit IAM Policies**: Regularly review IAM policies to ensure they adhere to the principle of least privilege.
61- **Monitor and Detect**: Set up additional alerts for unexpected `DescribeInstanceAttribute` calls or other suspicious API activity.
62
63### Additional Information
64
65For more details on managing EC2 user data securely, refer to the [AWS EC2 User Data Documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html).
66"""
67references = [
68 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceAttribute.html",
69 "https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data",
70]
71risk_score = 47
72rule_id = "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce"
73severity = "medium"
74tags = [
75 "Domain: Cloud",
76 "Data Source: AWS",
77 "Data Source: Amazon Web Services",
78 "Data Source: Amazon EC2",
79 "Resources: Investigation Guide",
80 "Use Case: Log Auditing",
81 "Tactic: Discovery",
82]
83timestamp_override = "event.ingested"
84type = "new_terms"
85
86query = '''
87event.dataset: "aws.cloudtrail"
88 and event.provider: "ec2.amazonaws.com"
89 and event.action: "DescribeInstanceAttribute"
90 and event.outcome: "success"
91 and aws.cloudtrail.flattened.request_parameters.attribute: "userData"
92 and not aws.cloudtrail.user_identity.invoked_by: (
93 "AWS Internal" or
94 "cloudformation.amazonaws.com"
95 )
96'''
97
98[rule.investigation_fields]
99field_names = [
100 "@timestamp",
101 "user.name",
102 "user_agent.original",
103 "source.ip",
104 "aws.cloudtrail.user_identity.arn",
105 "aws.cloudtrail.user_identity.type",
106 "aws.cloudtrail.user_identity.access_key_id",
107 "event.action",
108 "event.outcome",
109 "cloud.account.id",
110 "cloud.region",
111 "aws.cloudtrail.request_parameters",
112 "aws.cloudtrail.response_elements"
113]
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117[[rule.threat.technique]]
118id = "T1580"
119name = "Cloud Infrastructure Discovery"
120reference = "https://attack.mitre.org/techniques/T1580/"
121
122
123[rule.threat.tactic]
124id = "TA0007"
125name = "Discovery"
126reference = "https://attack.mitre.org/tactics/TA0007/"
127[[rule.threat]]
128framework = "MITRE ATT&CK"
129[[rule.threat.technique]]
130id = "T1552"
131name = "Unsecured Credentials"
132reference = "https://attack.mitre.org/techniques/T1552/"
133[[rule.threat.technique.subtechnique]]
134id = "T1552.005"
135name = "Cloud Instance Metadata API"
136reference = "https://attack.mitre.org/techniques/T1552/005/"
137
138
139
140[rule.threat.tactic]
141id = "TA0006"
142name = "Credential Access"
143reference = "https://attack.mitre.org/tactics/TA0006/"
144
145[rule.new_terms]
146field = "new_terms_fields"
147value = ["cloud.account.id", "user.name", "aws.cloudtrail.flattened.request_parameters.instanceId"]
148[[rule.new_terms.history_window_start]]
149field = "history_window_start"
150value = "now-14d"
Triage and Analysis
Investigating AWS EC2 User Data Retrieval for EC2 Instance
This rule detects requests to retrieve the userData
attribute of an EC2 instance using the DescribeInstanceAttribute
API action. The userData
field can contain sensitive information, such as hardcoded credentials or configuration scripts, that adversaries may exploit for further attacks.
Possible Investigation Steps
-
Identify the Target Instance:
- Instance ID: Review the
aws.cloudtrail.flattened.request_parameters.instanceId
field to identify the EC2 instance targeted by the request. Confirm whether this instance should expose itsuserData
and whether it is associated with sensitive workloads. - Analyze userData: If possible, retrieve and inspect the
userData
field to identify sensitive information like hardcoded credentials or configuration scripts.
- Instance ID: Review the
-
Review User Context:
- User Identity: Inspect the
aws.cloudtrail.user_identity.arn
field to identify the user or role that executed theDescribeInstanceAttribute
action. Investigate whether this user typically performs such actions. - Access Patterns: Validate whether the user or role has the necessary permissions and whether the frequency of this action aligns with expected behavior.
- Access Key ID: Check the
aws.cloudtrail.user_identity.access_key_id
field to determine the key used to make the request as it may be compromised. - Source IP and Geolocation: Check the
source.address
andsource.geo
fields to validate whether the request originated from a trusted location or network. Unexpected geolocations can indicate adversarial activity. - User Agent: Inspect the
user_agent.original
field to determine the tool or client used (e.g., Terraform, AWS CLI). Legitimate automation tools may trigger this activity, but custom or unknown user agents may indicate malicious intent.
- User Identity: Inspect the
-
Check for Related Activity:
- IAM Changes: Correlate this event with any IAM changes or temporary credential creation to identify potential privilege escalation attempts.
- API Usage: Look for other unusual API calls (e.g.,
RunInstances
,GetObject
,AssumeRole
) by the same user or IP to detect lateral movement or data exfiltration attempts.
-
Validate Intent:
- Permissions and Justification: Ensure that the user has the least privilege required to perform this action. Investigate whether there is a valid reason for accessing the
userData
field.
- Permissions and Justification: Ensure that the user has the least privilege required to perform this action. Investigate whether there is a valid reason for accessing the
False Positive Analysis
- Automation: This event is often triggered by legitimate automation tools, such as Terraform or custom scripts, that require access to
userData
during instance initialization. - Maintenance Activity: Verify whether this event aligns with expected administrative activities, such as debugging or instance configuration updates.
Response and Remediation
- Revoke Excessive Permissions: If unauthorized, immediately remove
DescribeInstanceAttribute
permissions from the user or role. - Quarantine the Target Instance: If malicious behavior is confirmed, isolate the affected EC2 instance to limit further exposure.
- Secure User Data:
- Avoid storing sensitive information, such as credentials, in
userData
. Use AWS Secrets Manager or Parameter Store instead. - Encrypt user data and ensure only authorized users can decrypt it.
- Avoid storing sensitive information, such as credentials, in
- Audit IAM Policies: Regularly review IAM policies to ensure they adhere to the principle of least privilege.
- Monitor and Detect: Set up additional alerts for unexpected
DescribeInstanceAttribute
calls or other suspicious API activity.
Additional Information
For more details on managing EC2 user data securely, refer to the AWS EC2 User Data Documentation.
References
Related rules
- AWS SSM `SendCommand` Execution by Rare User
- AWS CloudTrail Log Evasion
- AWS VPC Flow Logs Deletion
- AWS CloudTrail Log Created
- AWS KMS Customer Managed Key Disabled or Scheduled for Deletion