AWS EC2 Instance Profile Associated with Running Instance

Status: production
Severity: high
Time window: 6m
Author: Elastic
Source: github.com/elastic/detection-rules

Identifies when an IAM instance profile is associated with a running EC2 instance or replaces the existing association. These APIs change which role credentials the instance obtains via the instance metadata service without terminating the instance. Attackers who can call AssociateIamInstanceProfile or ReplaceIamInstanceProfile may attach a more privileged role to a workload they control, enabling privilege escalation or lateral movement from the instance.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1078.004` Valid Accounts: Cloud Accounts, `T1548.005` Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access

Event coverage

Provider	Event
AWS-ec2	AssociateIamInstanceProfile
AWS-ec2	ReplaceIamInstanceProfile

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

AWS Modify Cloud Compute Infrastructure (Panther)

Rule body elastic

[metadata]
creation_date = "2026/04/08"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/08"

[rule]
author = ["Elastic"]
description = """
Identifies when an IAM instance profile is associated with a running EC2 instance or replaces the existing association.
These APIs change which role credentials the instance obtains via the instance metadata service without terminating the
instance. Attackers who can call `AssociateIamInstanceProfile` or `ReplaceIamInstanceProfile` may attach a more
privileged role to a workload they control, enabling privilege escalation or lateral movement from the instance.
"""
false_positives = [
    """
    Blue/green deployments, instance remediation, and automation may rebind instance profiles intentionally. Confirm the
    instance id, new `iamInstanceProfile` or `IamInstanceProfile` ARN, and change records. Exclude known automation
    roles after validation.
    """,
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS EC2 Instance Profile Associated with Running Instance"
note = """## Triage and analysis

### Investigating AWS EC2 Instance Profile Associated with Running Instance

`AssociateIamInstanceProfile` adds an instance profile to a running instance (where none was set at launch).
`ReplaceIamInstanceProfile` swaps the association. Both require `ec2:AssociateIamInstanceProfile` /
`ec2:ReplaceIamInstanceProfile` and typically `iam:PassRole` on the target instance profile’s role.

#### Possible investigation steps

- Parse `aws.cloudtrail.request_parameters` for `instanceId` and instance profile name or ARN.
- Identify the IAM role behind the profile and compare its policies to the prior role (if any).
- Map the instance to owner, application, and sensitivity; check for recent compromise indicators (SSRF to IMDS,
  unusual `AssumeRole` from the instance role).
- Review `aws.cloudtrail.user_identity.arn`, `source.ip`, and `user_agent.original`.

### False positive analysis

- Legitimate fixes for missing or wrong profiles at launch; verify with service owners.

### Response and remediation

- If unauthorized: disassociate or replace with the correct profile, revoke `PassRole`/`ec2` permissions from the
  actor, and rotate credentials that may have been issued from the over-privileged role.

### Additional information

- [AssociateIamInstanceProfile](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html)
- [ReplaceIamInstanceProfile](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceIamInstanceProfile.html)
"""
references = [
    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html",
    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceIamInstanceProfile.html",
]
risk_score = 73
rule_id = "e5f9a1b2-3c4d-4e6f-a7b8-9c0d1e2f3a4b"
severity = "high"
tags = [
    "Domain: Cloud",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Data Source: AWS EC2",
    "Use Case: Threat Detection",
    "Tactic: Privilege Escalation",
    "Tactic: Lateral Movement",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset: "aws.cloudtrail"
    and event.provider: "ec2.amazonaws.com"
    and event.action: ("AssociateIamInstanceProfile" or "ReplaceIamInstanceProfile")
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.type: "AWSService" 
    and not aws.cloudtrail.user_identity.invoked_by: "ssm.amazonaws.com" 
'''

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "user.name",
    "user_agent.original",
    "source.ip",
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
    "aws.cloudtrail.resources.arn",
    "aws.cloudtrail.resources.type",
    "event.action",
    "event.outcome",
    "cloud.account.id",
    "cloud.region",
    "aws.cloudtrail.request_parameters",
    "aws.cloudtrail.response_elements",
]

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"

[[rule.threat.technique.subtechnique]]
id = "T1548.005"
name = "Temporary Elevated Cloud Access"
reference = "https://attack.mitre.org/techniques/T1548/005/"

[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

Stages and Predicates

Stage 1: `query`

event.dataset: "aws.cloudtrail"
    and event.provider: "ec2.amazonaws.com"
    and event.action: ("AssociateIamInstanceProfile" or "ReplaceIamInstanceProfile")
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.type: "AWSService" 
    and not aws.cloudtrail.user_identity.invoked_by: "ssm.amazonaws.com"

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`aws.cloudtrail.user_identity.invoked_by`	eq	`ssm.amazonaws.com`
`aws.cloudtrail.user_identity.type`	eq	`AWSService`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`event.action`	in	`AssociateIamInstanceProfile` `ReplaceIamInstanceProfile`
`event.dataset`	eq	`aws.cloudtrail`
`event.outcome`	eq	`success`
`event.provider`	eq	`ec2.amazonaws.com`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

AWS EC2 Instance Profile Associated with Running Instance

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `query`

Exclusions

Indicators

Keyboard shortcuts

Search operators

AWS EC2 Instance Profile Associated with Running Instance

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: query

Exclusions

Indicators

Stage 1: `query`