AWS EC2 Deprecated AMI Discovery

Last updated 14 days ago on 2025-01-17

Created a month ago on 2024-12-24

About

Identifies when a user has queried for deprecated Amazon Machine Images (AMIs) in AWS. This may indicate an adversary whom is looking for outdated AMIs that may be vulnerable to exploitation. While deprecated AMIs are not inherently malicious or indicate breach, they may be more susceptible to vulnerabilities and should be investigated for potential security risks.

Tags

Domain: CloudData Source: AWSData Source: AWS EC2Use Case: Threat DetectionTactic: DiscoveryLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ Cloud Infrastructure Discovery (T1580)(opens in a new tab or window)

False Positive Examples

Legitimate use of deprecated AMIs for testing or development purposes.Automated tools or scripts that query for deprecated AMIs as part of a security assessment.Misconfigured applications or services that rely on deprecated AMIs for compatibility reasons.Administrators or developers who are unaware of the deprecation status of AMIs they are using.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(opens in a new tab or window)
Query

event.dataset: "aws.cloudtrail"
    and event.provider: "ec2.amazonaws.com"
    and event.action: "DescribeImages"
    and event.outcome: "success"
    and aws.cloudtrail.flattened.request_parameters.includeDeprecated: "true"
    and aws.cloudtrail.request_parameters: *owner=*

Install detection rules in Elastic Security

Detect AWS EC2 Deprecated AMI Discovery in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).