Elastic Compute Cloud (EC2) is arguably one of the most popular AWS services, and really needs no introduction but here is one anyway.
The AWS Shared Responsibility model states that you are responsible for many things in EC2, including AWS EC2 Security Groups, securing the OS, the network access, and the Elastic Block Store (EBS) for all your instances, just to name a few.
AWS provides a range of security controls (most of which come at an additional cost) to help you meet your responsibilities, but this is left up to you, and your mileage may vary.
Although this blog is all about just the AWS EC2 service, Sysdig has you covered with more than 188 out-of-the-box rules for the most important AWS services you might be using.
Today, we will uncover how changes in your AWS EC2 configuration can create major security holes.
We will then hunt for these high-risk configuration events using native tools, and then we will compare this to how Sysdig Secure helps in these situations.
Which Amazon EC2 Configuration events create a Threat?
Sysdig has identified 20 risky configuration events, and this list is extensible.
Several of these events map to one or more well-known MITRE ATT&CK TTPs, https://attack.mitre.org/matrices/enterprise/cloud/iaas/ that are essential for cloud infrastructure threat mapping.
Security Event Impact Description Allocate New Elastic IP Address to AWS Account