Data Source: Amazon EC2

AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization

May 1, 2026 · Domain: Cloud Domain: Identity Data Source: AWS Data Source: Amazon Web Services Data Source: Amazon EC2 Use Case: Threat Detection Tactic: Persistence Tactic: Credential Access Tactic: Lateral Movement Resources: Investigation Guide ·
Share on:

Identifies the first time a given IAM principal successfully creates an EC2 key pair when the request is sourced from a network whose autonomous system organization is not attributed to common cloud or hyperscaler providers in your GeoIP data. Adversaries may call CreateKeyPair to stage SSH access material before launching or accessing instances. A new terms baseline on user_identity.arn suppresses repeated noise from the same principal while still surfacing the initial suspicious creation from an unusual egress label.

Read More
AWS EC2 User Data Retrieval for EC2 Instance

Apr 10, 2026 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: Amazon EC2 Resources: Investigation Guide Use Case: Log Auditing Tactic: Discovery ·
Share on:

Identifies discovery request DescribeInstanceAttribute with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is a New Terms rule that identifies the first time an IAM user or role requests the user data for a specific EC2 instance.

Read More

AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization

AWS EC2 User Data Retrieval for EC2 Instance