AWS EC2 Instance Connect SSH Public Key Upload Detection
Adversaries may upload SSH public keys to AWS EC2 instances via the EC2 Instance Connect service using the `SendSSHPublicKey` or `SendSerialConsoleSSHPublicKey` API actions, which can serve as a mechanism for initial access, persistence, or privilege escalation, particularly if the `SendSerialConsoleSSHPublicKey` action is coupled with unauthorized serial console access.
This threat brief focuses on the detection of SSH public key uploads to AWS EC2 instances via the EC2 Instance Connect service. Adversaries can leverage the SendSSHPublicKey and SendSerialConsoleSSHPublicKey API actions to establish persistent access, facilitate lateral movement, or escalate privileges within a compromised AWS environment. While these actions are also used legitimately by administrators to connect to instances, their use by unauthorized actors indicates a significant security breach. Attackers typically exploit compromised AWS credentials to perform these actions, gaining a persistent foothold that can bypass other access controls. Detecting these API calls is crucial for identifying unauthorized access attempts and mitigating potential impact, especially when targeting critical EC2 instances or the serial console, which can offer advanced access capabilities.
Attack Chain
- Compromised AWS Credentials: An adversary obtains valid AWS credentials (e.g., access keys, temporary security credentials) through various initial access vectors such as phishing, exposed secrets, or exploiting vulnerable web applications.
- Target Identification: The adversary identifies a specific EC2 instance within the compromised AWS environment for which they want to establish persistent access or escalate privileges.
- SSH Key Generation: The adversary generates their own SSH key pair (a private key and a public key) for illicit access.
- Public Key Upload via Instance Connect: The adversary invokes the EC2 Instance Connect service, utilizing either the
SendSSHPublicKeyorSendSerialConsoleSSHPublicKeyAPI action, to upload their generated SSH public key to the targeted EC2 instance. - Persistent SSH Access: Following a successful public key upload, the adversary can now establish a direct SSH connection to the EC2 instance using their private key, thereby gaining persistent access without needing to repeatedly use the initially compromised AWS credentials.
- Lateral Movement and Privilege Escalation: With persistent SSH access to the EC2 instance, the adversary can execute commands, exfiltrate data, use the instance as a pivot point to move laterally to other AWS resources, or attempt privilege escalation if the instance's attached roles have elevated permissions.
Impact
If an adversary successfully uploads an SSH public key to an EC2 instance, the primary impact is persistent unauthorized access to that instance. This persistence allows the attacker to maintain a foothold in the environment, even if the initially compromised AWS credentials are revoked. From the compromised instance, attackers can execute arbitrary code, steal sensitive data, deploy malware, or further pivot to other services and resources within the AWS account, leading to broader data breaches, service disruptions, or resource manipulation. If the SendSerialConsoleSSHPublicKey action is exploited, it could enable access that bypasses typical network-based security controls, presenting a higher risk for privilege escalation and deeper compromise.
Recommendation
- Deploy the Sigma rule "AWS EC2 Instance Connect SSH Public Key Uploaded" to your SIEM and tune for your environment to detect successful
SendSSHPublicKeyorSendSerialConsoleSSHPublicKeyAPI calls. - Ensure AWS CloudTrail logging is enabled for all AWS accounts, specifically for the
ec2-instance-connect.amazonaws.comservice provider, to generate the necessary log data for the rule. - Investigate all alerts generated by the "AWS EC2 Instance Connect SSH Public Key Uploaded" rule by reviewing the
aws.cloudtrail.user_identity.arn,source.ip, andaws.cloudtrail.request_parametersfields to identify the actor and context. - Establish baselines for legitimate SSH key uploads to EC2 instances to reduce false positives and quickly identify anomalous activity.
- Regularly audit
ec2:EnableSerialConsoleAccesspermissions within your AWS environment, paying close attention to who has the authority to use theSendSerialConsoleSSHPublicKeyAPI action.
Detection coverage 1
AWS EC2 Instance Connect SSH Public Key Uploaded
highDetects when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service, which adversaries may use for persistence or privilege escalation.
Detection queries are available on the platform. Get full rules →