AWS EC2 Instance Profile Associated with Running Instance

This threat brief focuses on the potential for privilege escalation and lateral movement within Amazon Web Services (AWS) environments by abusing the ability to associate or replace IAM instance profiles on running EC2 instances. An attacker with the necessary permissions (ec2:AssociateIamInstanceProfile or ec2:ReplaceIamInstanceProfile and typically iam:PassRole) can elevate the privileges of a compromised EC2 instance. This is achieved by attaching a more privileged IAM role to the instance, granting the attacker access to resources and permissions beyond their initial scope. The event is logged in AWS CloudTrail, providing a critical detection opportunity for security teams.

Attack Chain

1. An attacker gains initial access to an AWS account, potentially through compromised credentials or a vulnerable application.
2. The attacker identifies a running EC2 instance with limited privileges.
3. The attacker identifies or creates a more privileged IAM role that grants broader access to AWS resources.
4. The attacker uses the AssociateIamInstanceProfile or ReplaceIamInstanceProfile API calls to associate the privileged IAM role with the target EC2 instance. This requires appropriate IAM permissions.
5. The EC2 instance’s metadata service now provides credentials for the newly associated IAM role.
6. The attacker leverages the elevated privileges to access sensitive data or resources, potentially including other EC2 instances, databases, or storage buckets.
7. The attacker moves laterally within the AWS environment, compromising additional resources and escalating their access.
8. The attacker achieves their objective, such as exfiltrating data, deploying malicious code, or disrupting services.

Impact

Successful exploitation allows attackers to elevate privileges within the AWS environment, potentially leading to unauthorized access to sensitive data, lateral movement to other systems, and disruption of critical services. The impact could range from data breaches and financial losses to reputational damage and regulatory fines. Identifying and responding to these events quickly is crucial to minimizing potential damage.

Recommendation

• Deploy the Sigma rule “AWS EC2 Instance Profile Associated with Running Instance” to your SIEM using AWS CloudTrail logs to detect suspicious activity.
• Review and harden IAM permissions related to ec2:AssociateIamInstanceProfile and ec2:ReplaceIamInstanceProfile to limit who can modify instance profiles.
• Enable CloudTrail logging for all regions in your AWS account to ensure comprehensive audit coverage.
• Implement least privilege principles for IAM roles assigned to EC2 instances to minimize the impact of potential privilege escalation.
• Investigate any alerts generated by the Sigma rule, focusing on the source IP address, user identity, and the IAM role associated with the instance profile.