AWS EC2 Multi-Region DescribeInstances API Calls
editAWS EC2 Multi-Region DescribeInstances API Calls
editIdentifies when a single AWS resource is making DescribeInstances API calls in more than 10 regions within a 30-second window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target’s infrastructure.
Rule type: esql
Rule indices: None
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: AWS EC2
- Resources: Investigation Guide
- Use Case: Threat Detection
- Tactic: Discovery
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and Analysis
Investigating AWS EC2 Multi-Region DescribeInstances API Calls
This rule detects instances where a single AWS resource makes DescribeInstances API calls in over 10 regions within a 30-second window. This could indicate an adversary using compromised credentials or an exploited resource to enumerate AWS infrastructure across multiple regions. Attackers often leverage multi-region enumeration to assess the overall cloud environment and find potential targets for further exploitation.
Possible Investigation Steps
- Identify the Resource and Actor:
-
Actor ARN: Check
aws.cloudtrail.user_identity.arnto determine the exact identity performing the enumeration. Validate if the user is expected to perform region-wideDescribeInstancesactions across multiple regions or if it seems unusual. -
Account and Role Details: Examine
cloud.account.idandaws.cloudtrail.user_identity.session_context.session_issuerfor information about the AWS account and specific role associated with the action. - Analyze API Call Patterns:
-
Frequency and Scope: Review
cloud.regionfield and confirm if this specific resource commonly performsDescribeInstancescalls across multiple regions. -
Time Window Context: Compare the timing of the API calls within the
target_time_windowto determine if this burst pattern aligns with expected system usage or is potentially malicious. - Check User Agent and Tooling:
-
Source and User Agent: Verify
user_agent.originalto determine if the request was made through expected tooling (e.g., AWS CLI or SDK) or a third-party tool that might indicate non-standard access. -
Source IP Address: Look into
source.addressto identify the origin of the calls. Unusual IP addresses, especially those outside expected ranges, may indicate compromised access. - Evaluate for Potential Reconnaissance Behavior:
-
Account and Region Enumeration: Adversaries may use region-wide
DescribeInstancesrequests to discover resources within an account across different regions. Confirm if this access aligns with operational practices or represents excessive access. - Permissions and Roles: Investigate the permissions associated with the user role. Excessive permissions on a compromised role may allow broader enumeration, which should be restricted.
- Review Related CloudTrail Events:
-
Additional Describe or List Actions: Identify any associated
DescribeorListAPI calls that may indicate further enumeration of other AWS services within the same timeframe. - Potential Preceding Events: Look for preceding login or access events from the same actor, as these may indicate potential credential compromise or unauthorized escalation of privileges.
False Positive Analysis
-
Expected Enumeration: Certain administrative or automation scripts may conduct broad
DescribeInstancesAPI calls for inventory purposes. Review usage patterns or consult relevant teams to validate the purpose. - Automated Cloud Management: Some automated services may perform regional checks for compliance or backup operations. If this rule is triggered repeatedly by a known service, consider whitelisting or tuning accordingly.
Response and Remediation
- Review IAM Policies and Role Permissions: Limit the permissions of roles associated with this resource, restricting unnecessary multi-region enumeration access.
- Enforce Least Privilege Access: Ensure that permissions for DescribeInstances are tightly controlled and restricted to specific roles or accounts that require multi-region access.
- Increase Monitoring and Alerts: Set up additional monitoring on this role or account for further signs of unauthorized activity or lateral movement attempts.
-
Access Review: Conduct a review of users and entities with
DescribeInstancespermissions, especially for multi-region capabilities, and ensure these permissions are necessary for their functions.
Additional Information
For further information on AWS DescribeInstances permissions and best practices, refer to the AWS DescribeInstances API documentation.
Rule query
editfrom logs-aws.cloudtrail-* // filter for DescribeInstances API calls | where event.dataset == "aws.cloudtrail" and event.provider == "ec2.amazonaws.com" and event.action == "DescribeInstances" // truncate the timestamp to a 30-second window | eval target_time_window = DATE_TRUNC(30 seconds, @timestamp) // keep only the relevant fields | keep target_time_window, aws.cloudtrail.user_identity.arn, cloud.region // count the number of unique regions and total API calls within the 30-second window | stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn // filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window | where region_count >= 10 and window_count >= 10 // sort the results by time windows in descending order | sort target_time_window desc
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Cloud Infrastructure Discovery
- ID: T1580
- Reference URL: https://attack.mitre.org/techniques/T1580/