blue/green deployments, instance remediation, and automation may rebind instance profiles intentionally. confirm the instance id, new `iaminstanceprofile` or `iaminstanceprofile` arn, and change records. exclude known automation roles after validation.

t1078
t1548
aws
elastic

Techniques

T1078
T1548

Sample rules

AWS EC2 Instance Profile Associated with Running Instance

source: elastic
technicques:
- T1078
- T1548

Description

Identifies when an IAM instance profile is associated with a running EC2 instance or replaces the existing association. These APIs change which role credentials the instance obtains via the instance metadata service without terminating the instance. Attackers who can call AssociateIamInstanceProfile or ReplaceIamInstanceProfile may attach a more privileged role to a workload they control, enabling privilege escalation or lateral movement from the instance.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "ec2.amazonaws.com"
    and event.action: ("AssociateIamInstanceProfile" or "ReplaceIamInstanceProfile")
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.type: "AWSService" 
    and not aws.cloudtrail.user_identity.invoked_by: "ssm.amazonaws.com"