Identifies discovery request DescribeInstanceAttribute with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is a New Terms rule that identifies when aws.cloudtrail.user_identity.arn requests the user data for a specific aws.cloudtrail.flattened.request_parameters.instanceId from an EC2 instance in the last 14 days.

Read More