AWS EC2 Deprecated AMI Discovery
A user querying for deprecated Amazon Machine Images (AMIs) in AWS via the DescribeImages API call may indicate an adversary looking for outdated and potentially vulnerable AMIs for exploitation.
This rule detects when a user queries AWS for deprecated Amazon Machine Images (AMIs) using the DescribeImages API call. While querying for deprecated AMIs is not inherently malicious, it may indicate an adversary searching for outdated AMIs that may be vulnerable to exploitation. This behavior may stem from a misconfiguration or a legitimate use case, such as security assessments or legacy system maintenance. The rule focuses on identifying DescribeImages API calls with the includeDeprecated parameter set to "true," which signifies an explicit request for deprecated AMIs. This activity warrants investigation to determine the intent behind the query and assess potential security risks within the AWS environment.
Attack Chain
- Initial Access: The attacker gains access to an AWS account through compromised credentials or a misconfigured IAM role.
- Reconnaissance: The attacker uses the AWS CLI or SDK to query for deprecated AMIs via the
DescribeImagesAPI call, setting theincludeDeprecatedparameter to "true." - Discovery: The attacker analyzes the results of the
DescribeImagesAPI call to identify deprecated AMIs that may be vulnerable to exploitation. - Vulnerability Assessment: The attacker researches the identified deprecated AMIs for known vulnerabilities and exploits.
- Resource Provisioning: The attacker attempts to launch an EC2 instance using a deprecated AMI, potentially bypassing security controls due to the AMI's age.
- Privilege Escalation/Lateral Movement: If the deprecated AMI contains vulnerable software, the attacker exploits it to gain elevated privileges or move laterally within the AWS environment.
- Data Exfiltration/Impact: The attacker uses the compromised EC2 instance to exfiltrate sensitive data or cause disruption to AWS services.
Impact
A successful attack leveraging deprecated AMIs can lead to the compromise of EC2 instances, data breaches, and service disruptions. While this event by itself is low severity, it can act as a part of a larger attack and indicate the early stages of cloud reconnaissance. The impact of exploiting vulnerable AMIs includes data exfiltration, service downtime, and unauthorized access to other AWS resources.
Recommendation
- Deploy the Sigma rule
AWS EC2 Deprecated AMI Discoveryto your SIEM to detect queries for deprecated AMIs and tune for your environment. - Review the source IP address (
source.ip) of the request to identify potentially suspicious origins as per theAWS EC2 Deprecated AMI Discoveryrule. - Restrict IAM permissions to prevent unauthorized access to deprecated AMIs as mentioned in the investigation steps.
- Enable alerts for future queries involving deprecated AMIs or other unusual API activity within CloudTrail logs as mentioned in the remediation steps.
Detection coverage 2
AWS EC2 Deprecated AMI Discovery
lowDetects when a user queries AWS for deprecated Amazon Machine Images (AMIs), which may indicate reconnaissance for vulnerable systems.
AWS EC2 Deprecated AMI Discovery - Source IP Analysis
mediumDetects when a user from a suspicious IP queries AWS for deprecated Amazon Machine Images (AMIs).
Detection queries are available on the platform. Get full rules →