AWS EC2 Instance Connect SSH Public Key Upload
This rule detects the uploading of new SSH public keys to AWS EC2 instances using the EC2 Instance Connect service, which could indicate an adversary attempting to maintain access, escalate privileges, or move laterally within the cloud environment.
This alert identifies when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. Attackers may upload SSH public keys to maintain access, achieve persistence, or escalate privileges within the AWS environment. The detection focuses on the SendSerialConsoleSSHPublicKey and SendSSHPublicKey API actions. These API calls occur both when manually uploading keys and automatically when a user connects via the EC2 Instance Connect service through the CLI or AWS Management Console. This activity, while sometimes legitimate, represents a potential avenue for unauthorized access and requires scrutiny, especially if coupled with other suspicious actions. The rule is sourced from Elastic and was last updated on April 10, 2026.
Attack Chain
- An attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed API key.
- The attacker attempts to upload an SSH public key to an EC2 instance using the
SendSSHPublicKeyorSendSerialConsoleSSHPublicKeyAPI calls. - The
ec2-instance-connect.amazonaws.comservice logs theSendSSHPublicKeyorSendSerialConsoleSSHPublicKeyAPI action in CloudTrail if successful. - The attacker leverages the uploaded SSH key to gain SSH access to the targeted EC2 instance.
- Once inside the instance, the attacker performs reconnaissance, gathering information about the system and network configuration.
- The attacker moves laterally to other EC2 instances or AWS services using the compromised instance as a pivot point.
- If
SendSerialConsoleSSHPublicKeywas used, the attacker attempts privilege escalation via serial console access, potentially gaining root access. - The attacker achieves persistence by maintaining SSH access via the uploaded key, allowing continued access to the AWS environment.
Impact
Successful exploitation can lead to unauthorized access to sensitive data, lateral movement within the AWS environment, and privilege escalation. This can result in data breaches, service disruption, and significant financial loss. The impact is amplified if the targeted EC2 instance hosts critical applications or data. The number of potential victims depends on the scope of the attacker's access and the sensitivity of the data stored within the compromised AWS environment.
Recommendation
- Review CloudTrail logs for events matching the
SendSSHPublicKeyorSendSerialConsoleSSHPublicKeyAPI actions to identify potential unauthorized SSH key uploads to EC2 instances (log source: aws.cloudtrail). - Investigate the source IP addresses (
source.ip) and user identities (aws.cloudtrail.user_identity.arn) associated with these events to determine the legitimacy of the actions. - Deploy the provided Sigma rule "AWS EC2 Instance Connect SSH Public Key Uploaded" to your SIEM and tune for your environment to detect potentially malicious SSH key uploads (rule: AWS EC2 Instance Connect SSH Public Key Uploaded).
- Audit EC2 instance policies and permissions to ensure adherence to the principle of least privilege and restrict unauthorized SSH key uploads.
- Monitor for the
ec2:EnableSerialConsoleAccesspermission usage in conjunction withSendSerialConsoleSSHPublicKeyto identify potential privilege escalation attempts (log source: aws.cloudtrail).
Detection coverage 2
AWS EC2 Instance Connect SSH Public Key Uploaded
mediumDetects when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service.
AWS EC2 Serial Console Access Enabled
lowDetects when the ec2:EnableSerialConsoleAccess permission is used, potentially indicating an attempt to enable and exploit the serial console for privilege escalation.
Detection queries are available on the platform. Get full rules →