AWS Key Pair Import Activity
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
Sigma rule (View on GitHub)
1title: AWS Key Pair Import Activity
2id: 92f84194-8d9a-4ee0-8699-c30bfac59780
3status: experimental
4description: |
5 Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
6references:
7 - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html
8author: Ivan Saakov
9date: 2024-12-19
10tags:
11 - attack.initial-access
12 - attack.defense-evasion
13 - attack.t1078
14 - attack.persistence
15 - attack.privilege-escalation
16logsource:
17 product: aws
18 service: cloudtrail
19detection:
20 selection:
21 eventSource: 'ec2.amazonaws.com'
22 eventName: 'ImportKeyPair'
23 condition: selection
24falsepositives:
25 - Legitimate administrative actions by authorized users importing keys for valid purposes.
26 - Automated processes for infrastructure setup may trigger this alert.
27 - Verify the user identity, user agent, and source IP address to ensure they are expected.
28level: medium
References
-
Imports the public key from an RSA or ED25519 key pair that you created using a third-party tool. You give AWS only the public key. The private key is never transferred between you and AWS.
Read More
Related rules
- AWS Suspicious SAML Activity
- Account Created And Deleted Within A Close Time Frame
- Authentications To Important Apps Using Single Factor Authentication
- Azure Domain Federation Settings Modified
- Azure Kubernetes Admission Controller