Skip to content
Threat Feed
medium advisory

AWS EC2 Instance Connect SSH Public Key Upload

This rule detects the uploading of new SSH public keys to AWS EC2 instances using the EC2 Instance Connect service, which could indicate an adversary attempting to maintain access, escalate privileges, or move laterally within the cloud environment.

This alert identifies when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. Attackers may upload SSH public keys to maintain access, achieve persistence, or escalate privileges within the AWS environment. The detection focuses on the SendSerialConsoleSSHPublicKey and SendSSHPublicKey API actions. These API calls occur both when manually uploading keys and automatically when a user connects via the EC2 Instance Connect service through the CLI or AWS Management Console. This activity, while sometimes legitimate, represents a potential avenue for unauthorized access and requires scrutiny, especially if coupled with other suspicious actions. The rule is sourced from Elastic and was last updated on April 10, 2026.

Attack Chain

  1. An attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed API key.
  2. The attacker attempts to upload an SSH public key to an EC2 instance using the SendSSHPublicKey or SendSerialConsoleSSHPublicKey API calls.
  3. The ec2-instance-connect.amazonaws.com service logs the SendSSHPublicKey or SendSerialConsoleSSHPublicKey API action in CloudTrail if successful.
  4. The attacker leverages the uploaded SSH key to gain SSH access to the targeted EC2 instance.
  5. Once inside the instance, the attacker performs reconnaissance, gathering information about the system and network configuration.
  6. The attacker moves laterally to other EC2 instances or AWS services using the compromised instance as a pivot point.
  7. If SendSerialConsoleSSHPublicKey was used, the attacker attempts privilege escalation via serial console access, potentially gaining root access.
  8. The attacker achieves persistence by maintaining SSH access via the uploaded key, allowing continued access to the AWS environment.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, lateral movement within the AWS environment, and privilege escalation. This can result in data breaches, service disruption, and significant financial loss. The impact is amplified if the targeted EC2 instance hosts critical applications or data. The number of potential victims depends on the scope of the attacker's access and the sensitivity of the data stored within the compromised AWS environment.

Recommendation

  • Review CloudTrail logs for events matching the SendSSHPublicKey or SendSerialConsoleSSHPublicKey API actions to identify potential unauthorized SSH key uploads to EC2 instances (log source: aws.cloudtrail).
  • Investigate the source IP addresses (source.ip) and user identities (aws.cloudtrail.user_identity.arn) associated with these events to determine the legitimacy of the actions.
  • Deploy the provided Sigma rule "AWS EC2 Instance Connect SSH Public Key Uploaded" to your SIEM and tune for your environment to detect potentially malicious SSH key uploads (rule: AWS EC2 Instance Connect SSH Public Key Uploaded).
  • Audit EC2 instance policies and permissions to ensure adherence to the principle of least privilege and restrict unauthorized SSH key uploads.
  • Monitor for the ec2:EnableSerialConsoleAccess permission usage in conjunction with SendSerialConsoleSSHPublicKey to identify potential privilege escalation attempts (log source: aws.cloudtrail).

Detection coverage 2

AWS EC2 Instance Connect SSH Public Key Uploaded

medium

Detects when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service.

sigma tactics: lateral_movement, persistence, privilege_escalation techniques: T1021.004, T1098.004 sources: cloudtrail, aws

AWS EC2 Serial Console Access Enabled

low

Detects when the ec2:EnableSerialConsoleAccess permission is used, potentially indicating an attempt to enable and exploit the serial console for privilege escalation.

sigma tactics: privilege_escalation techniques: T1068 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →