<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>EC2 Instances - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/ec2-instances/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 14:40:41 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/ec2-instances/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS EC2 Instance Connect SSH Public Key Upload Detection</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-ec2-instance-connect-ssh-key-upload/</link><pubDate>Wed, 15 Jul 2026 14:40:41 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-ec2-instance-connect-ssh-key-upload/</guid><description>Adversaries may upload SSH public keys to AWS EC2 instances via the EC2 Instance Connect service using the `SendSSHPublicKey` or `SendSerialConsoleSSHPublicKey` API actions, which can serve as a mechanism for initial access, persistence, or privilege escalation, particularly if the `SendSerialConsoleSSHPublicKey` action is coupled with unauthorized serial console access.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of SSH public key uploads to AWS EC2 instances via the EC2 Instance Connect service. Adversaries can leverage the <code>SendSSHPublicKey</code> and <code>SendSerialConsoleSSHPublicKey</code> API actions to establish persistent access, facilitate lateral movement, or escalate privileges within a compromised AWS environment. While these actions are also used legitimately by administrators to connect to instances, their use by unauthorized actors indicates a significant security breach. Attackers typically exploit compromised AWS credentials to perform these actions, gaining a persistent foothold that can bypass other access controls. Detecting these API calls is crucial for identifying unauthorized access attempts and mitigating potential impact, especially when targeting critical EC2 instances or the serial console, which can offer advanced access capabilities.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Compromised AWS Credentials</strong>: An adversary obtains valid AWS credentials (e.g., access keys, temporary security credentials) through various initial access vectors such as phishing, exposed secrets, or exploiting vulnerable web applications.</li>
<li><strong>Target Identification</strong>: The adversary identifies a specific EC2 instance within the compromised AWS environment for which they want to establish persistent access or escalate privileges.</li>
<li><strong>SSH Key Generation</strong>: The adversary generates their own SSH key pair (a private key and a public key) for illicit access.</li>
<li><strong>Public Key Upload via Instance Connect</strong>: The adversary invokes the EC2 Instance Connect service, utilizing either the <code>SendSSHPublicKey</code> or <code>SendSerialConsoleSSHPublicKey</code> API action, to upload their generated SSH public key to the targeted EC2 instance.</li>
<li><strong>Persistent SSH Access</strong>: Following a successful public key upload, the adversary can now establish a direct SSH connection to the EC2 instance using their private key, thereby gaining persistent access without needing to repeatedly use the initially compromised AWS credentials.</li>
<li><strong>Lateral Movement and Privilege Escalation</strong>: With persistent SSH access to the EC2 instance, the adversary can execute commands, exfiltrate data, use the instance as a pivot point to move laterally to other AWS resources, or attempt privilege escalation if the instance's attached roles have elevated permissions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>If an adversary successfully uploads an SSH public key to an EC2 instance, the primary impact is persistent unauthorized access to that instance. This persistence allows the attacker to maintain a foothold in the environment, even if the initially compromised AWS credentials are revoked. From the compromised instance, attackers can execute arbitrary code, steal sensitive data, deploy malware, or further pivot to other services and resources within the AWS account, leading to broader data breaches, service disruptions, or resource manipulation. If the <code>SendSerialConsoleSSHPublicKey</code> action is exploited, it could enable access that bypasses typical network-based security controls, presenting a higher risk for privilege escalation and deeper compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS EC2 Instance Connect SSH Public Key Uploaded&quot; to your SIEM and tune for your environment to detect successful <code>SendSSHPublicKey</code> or <code>SendSerialConsoleSSHPublicKey</code> API calls.</li>
<li>Ensure AWS CloudTrail logging is enabled for all AWS accounts, specifically for the <code>ec2-instance-connect.amazonaws.com</code> service provider, to generate the necessary log data for the rule.</li>
<li>Investigate all alerts generated by the &quot;AWS EC2 Instance Connect SSH Public Key Uploaded&quot; rule by reviewing the <code>aws.cloudtrail.user_identity.arn</code>, <code>source.ip</code>, and <code>aws.cloudtrail.request_parameters</code> fields to identify the actor and context.</li>
<li>Establish baselines for legitimate SSH key uploads to EC2 instances to reduce false positives and quickly identify anomalous activity.</li>
<li>Regularly audit <code>ec2:EnableSerialConsoleAccess</code> permissions within your AWS environment, paying close attention to who has the authority to use the <code>SendSerialConsoleSSHPublicKey</code> API action.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>lateral-movement</category><category>privilege-escalation</category><category>persistence</category></item></channel></rss>