Elastic Security Detection Rules

AWS EC2 Instance Profile Associated with Running Instance

Last updated 25 days ago on 2026-04-08
Created 25 days ago on 2026-04-08

About

Identifies when an IAM instance profile is associated with a running EC2 instance or replaces the existing association. These APIs change which role credentials the instance obtains via the instance metadata service without terminating the instance. Attackers who can call `AssociateIamInstanceProfile` or `ReplaceIamInstanceProfile` may attach a more privileged role to a workload they control, enabling privilege escalation or lateral movement from the instance.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS EC2Use Case: Threat DetectionTactic: Privilege EscalationTactic: Lateral MovementLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Abuse Elevation Control Mechanism (T1548)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

False Positive Examples
Blue/green deployments, instance remediation, and automation may rebind instance profiles intentionally. Confirm the instance id, new `iamInstanceProfile` or `IamInstanceProfile` ARN, and change records. Exclude known automation roles after validation.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: "aws.cloudtrail"
    and event.provider: "ec2.amazonaws.com"
    and event.action: ("AssociateIamInstanceProfile" or "ReplaceIamInstanceProfile")
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.type: "AWSService" 
    and not aws.cloudtrail.user_identity.invoked_by: "ssm.amazonaws.com"

Install detection rules in Elastic Security

Detect AWS EC2 Instance Profile Associated with Running Instance in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).