Triggers
- EC2 generated temporary credential used outside of EC2.
Possible Root Causes
- An attacker has extracted a temporary credential from an EC2 instance and is using it to further their attack.
- An application is using temporary credential generation via EC2s in an unusual way.
Business Impact
- Attackers may use temporary credentials as a means of maintaining persistent command and control in an environment, which increases the risk of data loss or impacted assets and services.
Steps to Verify
- Review the actions being undertaken by the credential after the identified activity and potential risk posed by that access.
- Discuss with the EC2 instance owners to determine if the use of instance generated temporary keys outside of EC2 is known and legitimate.
- If the review determines there is a high risk to data or the environment, disable the credentials and perform a comprehensive investigation.