Suspicious AWS EC2 Key Pair Creation from Non-Cloud Autonomous System
An Elastic detection rule identifies when a previously unseen AWS IAM principal successfully creates an EC2 key pair from an Autonomous System (AS) organization not associated with common cloud or hyperscaler providers, indicating potential attacker persistence or preparation for unauthorized instance access via SSH.
Adversaries targeting AWS environments may attempt to establish persistence or prepare for unauthorized access to EC2 instances by creating new SSH key pairs. This brief details an Elastic detection rule designed to identify such suspicious activity. The rule triggers when an AWS IAM principal successfully executes the CreateKeyPair API call from a network whose Autonomous System (AS) organization is not a recognized cloud provider (such as Amazon, Google, or Microsoft). This detection is particularly sensitive as it focuses on the first time a given principal performs this action from an unusual source AS, which can be an early indicator of a compromised account being used to stage access materials. Defenders should investigate these alerts to determine if the activity aligns with legitimate operational changes or represents an attacker's attempt to gain a foothold.
Attack Chain
- Initial Access: An adversary gains unauthorized access to an AWS environment, often by compromising an IAM user or role via phishing, exposed credentials, or exploiting a vulnerable application.
- Credential Compromise: The attacker acquires credentials for an existing IAM principal (user or role) within the target AWS account.
- Persistence Staging: Using the compromised credentials, the attacker calls the
CreateKeyPairAPI from an unusual network location (i.e., an AS organization not belonging to a major cloud provider). This action generates a new SSH key pair. - Key Material Exfiltration: The
CreateKeyPairAPI returns the private key material to the caller. The attacker immediately downloads and stores this private key. - SSH Access Preparation: The newly created public key is associated with the AWS account, allowing it to be injected into new or existing EC2 instances.
- Lateral Movement/Persistence: The attacker uses the exfiltrated private key to establish SSH connections to EC2 instances launched with, or updated to use, this key pair, thereby achieving persistence and enabling further malicious activities.
- Impact: Once SSH access is established, the attacker can perform actions such as data exfiltration, deployment of malicious software, or further enumeration of the environment.
Impact
If adversaries successfully create and leverage new EC2 key pairs from unusual network locations, it directly leads to unauthorized persistence and potential remote access to critical cloud infrastructure. This can enable a range of damaging activities, including data theft from EC2 instances or S3 buckets, resource hijacking for cryptocurrency mining, further privilege escalation within the AWS environment, or disruption of services. Such breaches can result in significant financial losses due to compromised data, operational downtime, and regulatory fines, alongside severe reputational damage. The ability to maintain access via SSH keys makes detection and remediation challenging, allowing attackers extended dwell time.
Recommendation
- Deploy the Sigma rule
AWS_EC2_CreateKeyPair_New_Principal_Non_Cloud_ASto your SIEM to detect suspiciousCreateKeyPairactivity. - Ensure AWS CloudTrail logging is enabled and configured to capture
event.dataset: "aws.cloudtrail"data, includingevent.provider: "ec2.amazonaws.com"andevent.action: "CreateKeyPair". - Investigate all alerts generated by the
AWS_EC2_CreateKeyPair_New_Principal_Non_Cloud_ASrule, examiningaws.cloudtrail.request_parameters,response_elementsforkeyName, and correlatingsource.ip,source.geo, anduser_agent.originalwith the principal’s normal administrative paths. - If unauthorized activity is confirmed, delete the suspicious key pair using
DeleteKeyPair, review IAM policies forec2:CreateKeyPairpermissions, and rotate any credentials used by the compromised IAM principal.
Detection coverage 1
AWS EC2 CreateKeyPair from Non-Cloud AS Organization
highDetects suspicious AWS EC2 CreateKeyPair API calls initiated by any IAM principal from an Autonomous System (AS) organization not associated with common cloud or hyperscaler providers. This behavior can indicate an adversary establishing persistence or preparing for instance access.
Detection queries are available on the platform. Get full rules →