AWS EC2 Private Key
Service Name: Amazon Elastic Compute Cloud (EC2)
Service Description: Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers, allowing them to launch virtual servers (instances) on the AWS infrastructure.
Service Address: https://aws.amazon.com/ec2/
Validation Type: NHI Enriched
IP Allow list: IP Restriction is available per instance using Security Groups, Network ACLs, and VPCs.
Secret Access Scope: Grants SSH access to EC2 instances. This private key allows direct login to EC2 instances and full administrative control over the server.
Secret Revokement URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replacing-key-pair.html
Secret Example: -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAk5PwXxhxMQRXfkC+cR4GjzUxbeLJJ5HvqH9LUDRSYsL0UvU5 rRGHOjQvQmNj+j1YFQIDAQABAoIBAQCJZB5DiCQO3GzlQ5C7Gnz8hcJSJog6/QhY JZB5DiCQO3GzlQ5C7Gnz8hcJSJog6/QhYJZB5DiCQO3GzlQ5C7Gnz8hcJSJog6/Q hYJZB5DiCQO3GzlQ5C7Gnz8hcJSJog6/QhYJZB5DiCQO3GzlQ5C7Gnz8hcJSJog6 /QhYJZB5DiCQO3GzlQ5C7Gnz8hcJSJog6/QhYJZB5DiCQO3GzlQ5C7Gnz8hcJSJo g6/QhYJZB5DiCQO3GzlQ5C7Gnz8hcJSJog6/QhYJZB5DiCQO3GzlQ5C7Gnz8hcJS Jog6/QhYAoGBAMnXXDzBGZMV8tz3Mb+rXKMN9MHJnP3MjyQHwJIGT3xDOEwRXW8E kH1Ekj5a3qMOCaFNwleGDQH9JJFr3JwzDgUhNUoXnuW3i9yHFP5Hh+JQQnNpvRnC AoGBAMnXXDzBGZMV8tz3Mb+rXKMN9MHJnP3MjyQHwJIGT3xDOEwRXW8EkH1Ekj5a 3qMOCaFNwleGDQH9JJFr3JwzDgUhNUoXnuW3i9yHFP5Hh+JQQnNpvRnCAoGBAMnX XDzBGZMV8tz3Mb+rXKMN9MHJnP3MjyQHwJIGT3xDOEwRXW8EkH1Ekj5a3qMOCaFN wleGDQH9JJFr3JwzDgUhNUoXnuW3i9yHFP5Hh+JQQnNpvRnC -----END RSA PRIVATE KEY-----
Suspicious Activity Investigation Instructions:
- Review CloudTrail logs for unusual EC2 API calls or instance launches.
- Check VPC Flow Logs for unusual network traffic to/from EC2 instances.
- Monitor for unauthorized SSH access attempts in instance system logs.
- Verify if there are any unexpected running instances or instance types.
- Check for unusual resource utilization (CPU, memory, network) on EC2 instances.
- Review Security Group modifications that might have opened additional ports.
Mitigation Instructions:
- Immediately disable the compromised key pair by removing it from authorized_keys files on all instances.
- Create a new key pair in the AWS Console.
- Update all instances to use the new key pair (may require instance restart).
- Rotate any credentials or secrets that might have been accessible from the compromised instances.
- Review and update Security Groups to ensure only necessary ports are open.
- Consider implementing AWS Systems Manager Session Manager for SSH-less instance access.
- Enable detailed monitoring for EC2 instances to detect future suspicious activities.
- Implement AWS Config rules to monitor for public SSH keys and enforce best practices.