An attacker can modify security group rules to allow for new traffic. This typically allows them to maintain access to your infrastructure.
Compute resources in AWS are protected by security groups. When an attacker allows traffic on a security group, it exposes the affected resource publicly and allows the attacker to remain in your environment.
Note that removing a malicious ingress security group rule does not block connections that are already established (see Connection tracking).
You can identify when a security group ingress rule is created using the CloudTrail event
AuthorizeSecurityGroupIngress. In particular:
requestParameters.cidrIpcontains the newly authorized source IP range (for instance,
requestParameters.toPortcontain the newly opened port or port range.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.exfiltration.ec2-security-group-open-port-22-ingress
See also the related documentation.
How Datadog can help
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Security group open to the world".
Stratus Red Team - Open Ingress Port 22 on a Security Group
Finding evil in AWS
Attacker tactics reported by Jon Hencinski (Expel)