By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Ec2 metadata service enumeration detection

0

How to identify suspicious EC2 metadata enumeration activity? should we detect from cloudtrail or using cli to analyze EC2 access log? thanks

Topics
ComputeManagement & Governance
Tags
Amazon EC2AWS CloudTrail
Language
English
AWS-User-6667474
asked 2 years ago498 views
1 Answer
0

To inspect suspicious traffic to the instance metadata service, I would check VPC Flow Logs. Those would have network connectivity that you could see if there are suspicious network traffic to the EC2 instance metadata service.

AWS GuardDuty comes with a VPC Flow Log Finding: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-metadatadnsrebind (Keep in mind AWS GuardDuty does have a cost associated with the service: https://aws.amazon.com/guardduty/pricing/).

I would also recommend using IMDSv2 if possible which is a session-based method compared to request/response of IMDSv1: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

VPC Flow Logs: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

jsonc
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content