Elastic Security Detection Rules

AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization

Last updated 25 days ago on 2026-04-08
Created 25 days ago on 2026-04-08

About

Identifies the first time a given IAM principal successfully creates an EC2 key pair when the request is sourced from a network whose autonomous system organization is not attributed to common cloud or hyperscaler providers in your GeoIP data. Adversaries may call CreateKeyPair to stage SSH access material before launching or accessing instances. A new terms baseline on `user_identity.arn` suppresses repeated noise from the same principal while still surfacing the initial suspicious creation from an unusual egress label.
Tags
Domain: CloudDomain: IdentityData Source: AWSData Source: Amazon Web ServicesData Source: Amazon EC2Use Case: Threat DetectionTactic: PersistenceTactic: Credential AccessTactic: Lateral MovementLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

Unsecured Credentials (T1552)(external, opens in a new tab or window)

Lateral Movement (TA0008)(external, opens in a new tab or window)

Remote Services (T1021)(external, opens in a new tab or window)

False Positive Examples
Engineers creating key pairs from home ISP, corporate VPN, or colocation AS names will match until baselined. GeoIP databases vary by vendor; organization labels may differ slightly from the excluded strings (for example alternate Amazon or Google legal names). Tune exclusions on `source.as.organization.name` or principal ARN after validation.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: "aws.cloudtrail"
    and event.provider: "ec2.amazonaws.com"
    and event.action: "CreateKeyPair"
    and event.outcome: "success"
    and source.as.organization.name: (
        * and not (
            "Amazon.com, Inc." or AMAZ* or "Google LLC" or "Microsoft Corporation"
        )
    )

Install detection rules in Elastic Security

Detect AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).