Usage of EC2 Instance Connect on multiple instances
MITRE ATT&CK Tactics
- Lateral Movement
Simulates an attacker pushing an SSH public key to multiple EC2 instances, which then will allow anyone with the corresponding private key to connect directly to the systems via SSH.
- Create multiple EC2 instances and a VPC (takes a few minutes).
- Adds a public SSH key to the EC2 for 60 seconds.
Identify, through CloudTrail's
SendSSHPublicKey event, when a user is adding an SSH key to multiple EC2 instances. Sample event: