Detection rules › Panther
AWS EC2 Many Password Read Attempts
An actor in AWS has made many attempts to retrieve EC2 passwords. It is typically not necessary to retrieve EC2 passwords more than a few times an hour.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1555 Credentials from Password Stores |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body yaml
AnalysisType: rule
Filename: aws_ec2_many_passwors_read_attempts.py
RuleID: "AWS.EC2.ManyPasswordReadAttempts"
DisplayName: "AWS EC2 Many Password Read Attempts"
Enabled: true
LogTypes:
- AWS.CloudTrail
Severity: Info
Reports:
MITRE ATT&CK:
- TA0006:T1555 # Credential Access: Credentials from Password Stores
Stratus Red Team:
- aws.credential-access.ec2-get-password-data
Description: >
An actor in AWS has made many attempts to retrieve EC2 passwords. It is typically
not necessary to retrieve EC2 passwords more than a few times an hour.
DedupPeriodMinutes: 60
Threshold: 30
Reference:
https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
Runbook: Identify the actor and the EC2 instances for which the credential access
attempts were made. Determine if the attempts have a valid reason.
Tags:
- AWS
- CloudTrail
- EC2
- Credential Access:Credentials from Password Stores
- Credential Access
- Credentials from Password Stores
Tests:
- Name: Unsuccessful Attempt
ExpectedResult: true
Log:
{
"p_event_time": "2024-12-11 21:45:56.000000000",
"p_log_type": "AWS.CloudTrail",
"p_parse_time": "2024-12-11 21:50:54.495464364",
"awsRegion": "us-west-2",
"errorCode": "Client.UnauthorizedOperation",
"errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::111111111111:assumed-role/sample-role-nostalgic-merkle/sample-role-quizzical-goldstine.jenkins is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:us-west-2:111111111111:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: VbdJrM7j1Czq6HEj1lZpnU-AWGICaaPZQs1K_-9U3hQcFpXimBHYHwvg4SOc36ACu0GUYqWoSeX6_wI7ke3QxC0d1_Wv2XYLI96rYdMY2aWzdzwkIp__hUQQi-XqaHmp-QHOHiiJ31xqEkDZvyZXaO0BHhCpf8m7mIMeMaAB2CPtKhPj5NPGGkPc1f6rNFx0grhDkKZ3MrWBo65U4nRjzJrThuyK3146B1k1tWuQfI2_H-QMCuOl_aTIZ93xIeWFoIqKUWnD6-F68V8hhxHHXl0EhiFL9p7LAGvYTPXtJ1wEH1ve8iOW1S9ptI8CuFVP-Q7E7-NS45tIaheVJusaq3JtS03XAnKYC2NuVXnXBwbPNbNiQWH8LfSdgl43MZ5Q9Kin-tqCoA_Yskz0F_JNokjmIB2PKegJ5kANzHcb09u9sSqvgqKqpVHpfIDtjcI8LPzWjZyUNExaymEWOkE4HhtF19t1zyBvuoO6xgZtCyAx-6fsDSO8jpBZbLz9MsPmjhJLfp_yQPOF9ROIrBhvNCY_2tC7hyDDwdl11iNzHQvBaCjiLjE5PcoEchYWTHqlVHZ-yMA3",
"eventCategory": "Management",
"eventID": "9e2b3bf0-8f58-4d50-83af-b3175b68c2f8",
"eventName": "GetPasswordData",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2024-12-11 21:45:56.000000000",
"eventType": "AwsApiCall",
"eventVersion": "1.10",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "111111111111",
"requestID": "b22ce7ac-297f-41b4-a92e-f4aa38668c6d",
"requestParameters": {
"instanceId": "i-abcdef1234567890"
},
"sourceIPAddress": "1.2.3.4",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "SampleUserAgent",
"userIdentity": {
"accessKeyId": "SAMPLE_ACCESS_KEY",
"accountId": "111111111111",
"arn": "arn:aws:sts::111111111111:assumed-role/sample-role-nostalgic-merkle/sample-role-quizzical-goldstine.jenkins",
"principalId": "SAMPLE_PRINCIPAL_ID:leroy.jenkins",
"sessionContext": {
"attributes": {
"creationDate": "2024-12-11T21:45:52Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "111111111111",
"arn": "arn:aws:iam::111111111111:role/sample-role-nostalgic-merkle",
"principalId": "SAMPLE_PRINCIPAL_ID",
"type": "Role",
"userName": "SampleRole"
}
},
"type": "AssumedRole"
}
}
- Name: Successful Attempt
ExpectedResult: true
Log:
{
"p_event_time": "2024-11-21 22:46:18.000000000",
"p_log_type": "AWS.CloudTrail",
"p_parse_time": "2024-11-21 22:50:54.241713629",
"awsRegion": "us-west-2",
"eventCategory": "Management",
"eventID": "73076737-1a1e-418b-94fd-cbde95a5859d",
"eventName": "GetPasswordData",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2024-11-21 22:46:18.000000000",
"eventType": "AwsApiCall",
"eventVersion": "1.10",
"managementEvent": true,
"readOnly": true,
"recipientAccountId": "111122223333",
"requestID": "6ed17b60-a576-4b71-91d3-b59a37b3c6f9",
"requestParameters": {
"instanceId": "i-abcdef1234567890"
},
"sessionCredentialFromConsole": true,
"sourceIPAddress": "1.2.3.4",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "SampleUserAgent",
"userIdentity": {
"accessKeyId": "SAMPLE_ACCESS_KEY",
"accountId": "111122223333",
"arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/leroy.jenkins",
"principalId": "SAMPLE_PRINCIPAL_ID:leroy.jenkins",
"sessionContext": {
"attributes": {
"creationDate": "2024-11-21T22:42:44Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "111122223333",
"arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole",
"principalId": "SAMPLE_PRINCIPAL_ID",
"type": "Role",
"userName": "SampleRole"
}
},
"type": "AssumedRole"
}
}
- Name: Unrelated Event
ExpectedResult: false
Log:
{
"awsRegion": "us-east-1",
"eventCategory": "Management",
"eventID": "044e210e-6c5e-3f3e-8f04-2311a826f287",
"eventName": "AssumeRole",
"eventSource": "sts.amazonaws.com",
"eventTime": "2024-12-12 16:04:32.000000000",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": "True",
"readOnly": "True",
"recipientAccountId": "111122223333",
"requestID": "82c13187-0cc9-445e-9862-65d3ee2c6b7d",
"requestParameters": {
"durationSeconds": "900",
"roleArn": "arn:aws:iam::111122223333:role/SampleRole",
"roleSessionName": "SampleSession"
},
"resources": [
"{'accountId': '111122223333', 'arn': 'arn:aws:iam::111122223333:role/SampleRole', 'type': 'AWS::IAM::Role'}"
],
"responseElements": {
"assumedRoleUser": {
"arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/SampleSession",
"assumedRoleId": "SAMPLE_PRINCIPAL_ID:SampleSession"
},
"credentials": {
"accessKeyId": "SAMPLE_ACCESS_KEY",
"expiration": "Dec 12, 2024, 4:19:32 PM",
"sessionToken": "SampleSessionToken"
}
},
"sharedEventID": "fe4784a8-b3b8-4dac-a763-0476f4bef6e3",
"sourceIPAddress": "1.2.3.4",
"tlsDetails": {
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "sts.us-east-1.amazonaws.com",
"tlsVersion": "TLSv1.3"
},
"userAgent": "SampleUserAgent",
"userIdentity": {
"accountId": "111122223333",
"principalId": "SAMPLE_PRINCIPAL_ID:lambda-name",
"type": "AWSAccount"
}
}
Detection logic
Condition
eventName eq "GetPasswordData"
eventSource eq "ec2.amazonaws.com"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | eq |
|
eventSource | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
eventName |
eventSource |
awsRegion |
recipientAccountId |
sourceIPAddress |
userAgent |
userIdentity |
actor_user |