You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Rules: First Seen User Creating or Modifying EC2 Launch Template
Description
AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM. The following AWS documentation outlines this behavior: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-launch-templates.html. Look at other events the user in question is performing in order to investigate this signal. Consider excluding authorized users via a match list if this signal is triggering too many false positives.
Additional Details
Detail
Value
Type
First Seen
Category
Defense Evasion
Apply Risk to Entities
user_username
Signal Name
First Seen User Creating or Modifying EC2 Launch Template
Summary Expression
First Seen User: {{user_username}} Creating or Modifying EC2 Launch Template