{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ec2-instances/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EC2 Instance Connect","EC2 instances"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","lateral-movement","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of SSH public key uploads to AWS EC2 instances via the EC2 Instance Connect service. Adversaries can leverage the \u003ccode\u003eSendSSHPublicKey\u003c/code\u003e and \u003ccode\u003eSendSerialConsoleSSHPublicKey\u003c/code\u003e API actions to establish persistent access, facilitate lateral movement, or escalate privileges within a compromised AWS environment. While these actions are also used legitimately by administrators to connect to instances, their use by unauthorized actors indicates a significant security breach. Attackers typically exploit compromised AWS credentials to perform these actions, gaining a persistent foothold that can bypass other access controls. Detecting these API calls is crucial for identifying unauthorized access attempts and mitigating potential impact, especially when targeting critical EC2 instances or the serial console, which can offer advanced access capabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCompromised AWS Credentials\u003c/strong\u003e: An adversary obtains valid AWS credentials (e.g., access keys, temporary security credentials) through various initial access vectors such as phishing, exposed secrets, or exploiting vulnerable web applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Identification\u003c/strong\u003e: The adversary identifies a specific EC2 instance within the compromised AWS environment for which they want to establish persistent access or escalate privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSSH Key Generation\u003c/strong\u003e: The adversary generates their own SSH key pair (a private key and a public key) for illicit access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePublic Key Upload via Instance Connect\u003c/strong\u003e: The adversary invokes the EC2 Instance Connect service, utilizing either the \u003ccode\u003eSendSSHPublicKey\u003c/code\u003e or \u003ccode\u003eSendSerialConsoleSSHPublicKey\u003c/code\u003e API action, to upload their generated SSH public key to the targeted EC2 instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistent SSH Access\u003c/strong\u003e: Following a successful public key upload, the adversary can now establish a direct SSH connection to the EC2 instance using their private key, thereby gaining persistent access without needing to repeatedly use the initially compromised AWS credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement and Privilege Escalation\u003c/strong\u003e: With persistent SSH access to the EC2 instance, the adversary can execute commands, exfiltrate data, use the instance as a pivot point to move laterally to other AWS resources, or attempt privilege escalation if the instance's attached roles have elevated permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf an adversary successfully uploads an SSH public key to an EC2 instance, the primary impact is persistent unauthorized access to that instance. This persistence allows the attacker to maintain a foothold in the environment, even if the initially compromised AWS credentials are revoked. From the compromised instance, attackers can execute arbitrary code, steal sensitive data, deploy malware, or further pivot to other services and resources within the AWS account, leading to broader data breaches, service disruptions, or resource manipulation. If the \u003ccode\u003eSendSerialConsoleSSHPublicKey\u003c/code\u003e action is exploited, it could enable access that bypasses typical network-based security controls, presenting a higher risk for privilege escalation and deeper compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS EC2 Instance Connect SSH Public Key Uploaded\u0026quot; to your SIEM and tune for your environment to detect successful \u003ccode\u003eSendSSHPublicKey\u003c/code\u003e or \u003ccode\u003eSendSerialConsoleSSHPublicKey\u003c/code\u003e API calls.\u003c/li\u003e\n\u003cli\u003eEnsure AWS CloudTrail logging is enabled for all AWS accounts, specifically for the \u003ccode\u003eec2-instance-connect.amazonaws.com\u003c/code\u003e service provider, to generate the necessary log data for the rule.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts generated by the \u0026quot;AWS EC2 Instance Connect SSH Public Key Uploaded\u0026quot; rule by reviewing the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e fields to identify the actor and context.\u003c/li\u003e\n\u003cli\u003eEstablish baselines for legitimate SSH key uploads to EC2 instances to reduce false positives and quickly identify anomalous activity.\u003c/li\u003e\n\u003cli\u003eRegularly audit \u003ccode\u003eec2:EnableSerialConsoleAccess\u003c/code\u003e permissions within your AWS environment, paying close attention to who has the authority to use the \u003ccode\u003eSendSerialConsoleSSHPublicKey\u003c/code\u003e API action.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T14:40:41Z","date_published":"2026-07-15T14:40:41Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-ec2-instance-connect-ssh-key-upload/","summary":"Adversaries may upload SSH public keys to AWS EC2 instances via the EC2 Instance Connect service using the `SendSSHPublicKey` or `SendSerialConsoleSSHPublicKey` API actions, which can serve as a mechanism for initial access, persistence, or privilege escalation, particularly if the `SendSerialConsoleSSHPublicKey` action is coupled with unauthorized serial console access.","title":"AWS EC2 Instance Connect SSH Public Key Upload Detection","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-ec2-instance-connect-ssh-key-upload/"}],"language":"en","title":"CraftedSignal Threat Feed - EC2 Instances","version":"https://jsonfeed.org/version/1.1"}