Skip to content

AWS EC2 Private Key

Service Name: Amazon Elastic Compute Cloud (EC2)

Service Description: Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers, allowing them to launch virtual servers (instances) on the AWS infrastructure.

Service Address: https://aws.amazon.com/ec2/

Validation Type: NHI Enriched

IP Allow list: IP Restriction is available per instance using Security Groups, Network ACLs, and VPCs.

Secret Access Scope: Grants SSH access to EC2 instances. This private key allows direct login to EC2 instances and full administrative control over the server.

Secret Revokement URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replacing-key-pair.html

Secret Example: -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAk5PwXxhxMQRXfkC+cR4GjzUxbeLJJ5HvqH9LUDRSYsL0UvU5 rRGHOjQvQmNj+j1YFQIDAQABAoIBAQCJZB5DiCQO3GzlQ5C7Gnz8hcJSJog6/QhY JZB5DiCQO3GzlQ5C7Gnz8hcJSJog6/QhYJZB5DiCQO3GzlQ5C7Gnz8hcJSJog6/Q hYJZB5DiCQO3GzlQ5C7Gnz8hcJSJog6/QhYJZB5DiCQO3GzlQ5C7Gnz8hcJSJog6 /QhYJZB5DiCQO3GzlQ5C7Gnz8hcJSJog6/QhYJZB5DiCQO3GzlQ5C7Gnz8hcJSJo g6/QhYJZB5DiCQO3GzlQ5C7Gnz8hcJSJog6/QhYJZB5DiCQO3GzlQ5C7Gnz8hcJS Jog6/QhYAoGBAMnXXDzBGZMV8tz3Mb+rXKMN9MHJnP3MjyQHwJIGT3xDOEwRXW8E kH1Ekj5a3qMOCaFNwleGDQH9JJFr3JwzDgUhNUoXnuW3i9yHFP5Hh+JQQnNpvRnC AoGBAMnXXDzBGZMV8tz3Mb+rXKMN9MHJnP3MjyQHwJIGT3xDOEwRXW8EkH1Ekj5a 3qMOCaFNwleGDQH9JJFr3JwzDgUhNUoXnuW3i9yHFP5Hh+JQQnNpvRnCAoGBAMnX XDzBGZMV8tz3Mb+rXKMN9MHJnP3MjyQHwJIGT3xDOEwRXW8EkH1Ekj5a3qMOCaFN wleGDQH9JJFr3JwzDgUhNUoXnuW3i9yHFP5Hh+JQQnNpvRnC -----END RSA PRIVATE KEY-----

Suspicious Activity Investigation Instructions:

  • Review CloudTrail logs for unusual EC2 API calls or instance launches.
  • Check VPC Flow Logs for unusual network traffic to/from EC2 instances.
  • Monitor for unauthorized SSH access attempts in instance system logs.
  • Verify if there are any unexpected running instances or instance types.
  • Check for unusual resource utilization (CPU, memory, network) on EC2 instances.
  • Review Security Group modifications that might have opened additional ports.

Mitigation Instructions:

  • Immediately disable the compromised key pair by removing it from authorized_keys files on all instances.
  • Create a new key pair in the AWS Console.
  • Update all instances to use the new key pair (may require instance restart).
  • Rotate any credentials or secrets that might have been accessible from the compromised instances.
  • Review and update Security Groups to ensure only necessary ports are open.
  • Consider implementing AWS Systems Manager Session Manager for SSH-less instance access.
  • Enable detailed monitoring for EC2 instances to detect future suspicious activities.
  • Implement AWS Config rules to monitor for public SSH keys and enforce best practices.