Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Ec2 metadata service enumeration detection

0

How to identify suspicious EC2 metadata enumeration activity? should we detect from cloudtrail or using cli to analyze EC2 access log? thanks

Themen
KalkulationManagement & Unternehmensführung
Tags
Amazon EC2AWS CloudTrail
Sprache
English
AWS-User-6667474
gefragt vor 2 Jahren504 Aufrufe
1 Antwort
0

To inspect suspicious traffic to the instance metadata service, I would check VPC Flow Logs. Those would have network connectivity that you could see if there are suspicious network traffic to the EC2 instance metadata service.

AWS GuardDuty comes with a VPC Flow Log Finding: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-metadatadnsrebind (Keep in mind AWS GuardDuty does have a cost associated with the service: https://aws.amazon.com/guardduty/pricing/).

I would also recommend using IMDSv2 if possible which is a session-based method compared to request/response of IMDSv1: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

VPC Flow Logs: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

jsonc
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt