Retrieve EC2 Password Data
MITRE ATT&CK Tactics
- Credential Access
Runs ec2:GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances.
- Create an IAM role without permissions to run ec2:GetPasswordData
- Assume the role
- Run a number of ec2:GetPasswordData calls (which will be denied) using fictitious instance IDs
Identify principals making a large number of ec2:GetPasswordData calls, using CloudTrail's GetPasswordData event