AWS Key Pair Import Activity
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
Sigma rule (View on GitHub)
1title: AWS Key Pair Import Activity
2id: 92f84194-8d9a-4ee0-8699-c30bfac59780
3status: experimental
4description: |
5 Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
6references:
7 - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html
8author: Ivan Saakov
9date: 2024-12-19
10tags:
11 - attack.initial-access
12 - attack.t1078
13 - attack.persistence
14 - attack.privilege-escalation
15logsource:
16 product: aws
17 service: cloudtrail
18detection:
19 selection:
20 eventSource: 'ec2.amazonaws.com'
21 eventName: 'ImportKeyPair'
22 condition: selection
23falsepositives:
24 - Legitimate administrative actions by authorized users importing keys for valid purposes.
25 - Automated processes for infrastructure setup may trigger this alert.
26 - Verify the user identity, user agent, and source IP address to ensure they are expected.
27level: medium
References
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Atypical Travel