AWS EC2 Instance Profile Associated with Running Instance

  1[metadata]
  2creation_date = "2026/04/08"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/04/08"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an IAM instance profile is associated with a running EC2 instance or replaces the existing association.
 11These APIs change which role credentials the instance obtains via the instance metadata service without terminating the
 12instance. Attackers who can call `AssociateIamInstanceProfile` or `ReplaceIamInstanceProfile` may attach a more
 13privileged role to a workload they control, enabling privilege escalation or lateral movement from the instance.
 14"""
 15false_positives = [
 16    """
 17    Blue/green deployments, instance remediation, and automation may rebind instance profiles intentionally. Confirm the
 18    instance id, new `iamInstanceProfile` or `IamInstanceProfile` ARN, and change records. Exclude known automation
 19    roles after validation.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS EC2 Instance Profile Associated with Running Instance"
 27note = """## Triage and analysis
 28
 29### Investigating AWS EC2 Instance Profile Associated with Running Instance
 30
 31`AssociateIamInstanceProfile` adds an instance profile to a running instance (where none was set at launch).
 32`ReplaceIamInstanceProfile` swaps the association. Both require `ec2:AssociateIamInstanceProfile` /
 33`ec2:ReplaceIamInstanceProfile` and typically `iam:PassRole` on the target instance profile’s role.
 34
 35#### Possible investigation steps
 36
 37- Parse `aws.cloudtrail.request_parameters` for `instanceId` and instance profile name or ARN.
 38- Identify the IAM role behind the profile and compare its policies to the prior role (if any).
 39- Map the instance to owner, application, and sensitivity; check for recent compromise indicators (SSRF to IMDS,
 40  unusual `AssumeRole` from the instance role).
 41- Review `aws.cloudtrail.user_identity.arn`, `source.ip`, and `user_agent.original`.
 42
 43### False positive analysis
 44
 45- Legitimate fixes for missing or wrong profiles at launch; verify with service owners.
 46
 47### Response and remediation
 48
 49- If unauthorized: disassociate or replace with the correct profile, revoke `PassRole`/`ec2` permissions from the
 50  actor, and rotate credentials that may have been issued from the over-privileged role.
 51
 52### Additional information
 53
 54- [AssociateIamInstanceProfile](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html)
 55- [ReplaceIamInstanceProfile](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceIamInstanceProfile.html)
 56"""
 57references = [
 58    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html",
 59    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceIamInstanceProfile.html",
 60]
 61risk_score = 73
 62rule_id = "e5f9a1b2-3c4d-4e6f-a7b8-9c0d1e2f3a4b"
 63severity = "high"
 64tags = [
 65    "Domain: Cloud",
 66    "Data Source: AWS",
 67    "Data Source: Amazon Web Services",
 68    "Data Source: AWS EC2",
 69    "Use Case: Threat Detection",
 70    "Tactic: Privilege Escalation",
 71    "Tactic: Lateral Movement",
 72    "Resources: Investigation Guide",
 73]
 74timestamp_override = "event.ingested"
 75type = "query"
 76
 77query = '''
 78event.dataset: "aws.cloudtrail"
 79    and event.provider: "ec2.amazonaws.com"
 80    and event.action: ("AssociateIamInstanceProfile" or "ReplaceIamInstanceProfile")
 81    and event.outcome: "success"
 82    and not aws.cloudtrail.user_identity.type: "AWSService" 
 83    and not aws.cloudtrail.user_identity.invoked_by: "ssm.amazonaws.com" 
 84'''
 85
 86[rule.investigation_fields]
 87field_names = [
 88    "@timestamp",
 89    "user.name",
 90    "user_agent.original",
 91    "source.ip",
 92    "aws.cloudtrail.user_identity.arn",
 93    "aws.cloudtrail.user_identity.type",
 94    "aws.cloudtrail.user_identity.access_key_id",
 95    "aws.cloudtrail.resources.arn",
 96    "aws.cloudtrail.resources.type",
 97    "event.action",
 98    "event.outcome",
 99    "cloud.account.id",
100    "cloud.region",
101    "aws.cloudtrail.request_parameters",
102    "aws.cloudtrail.response_elements",
103]
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107
108[[rule.threat.technique]]
109id = "T1548"
110name = "Abuse Elevation Control Mechanism"
111reference = "https://attack.mitre.org/techniques/T1548/"
112
113[[rule.threat.technique.subtechnique]]
114id = "T1548.005"
115name = "Temporary Elevated Cloud Access"
116reference = "https://attack.mitre.org/techniques/T1548/005/"
117
118[[rule.threat.technique]]
119id = "T1078"
120name = "Valid Accounts"
121reference = "https://attack.mitre.org/techniques/T1078/"
122
123[[rule.threat.technique.subtechnique]]
124id = "T1078.004"
125name = "Cloud Accounts"
126reference = "https://attack.mitre.org/techniques/T1078/004/"
127
128[rule.threat.tactic]
129id = "TA0004"
130name = "Privilege Escalation"
131reference = "https://attack.mitre.org/tactics/TA0004/"