EC2 Get User Data
MITRE ATT&CK Tactics
This simulates an attacker attempting to retrieve EC2 Instance User Data that frequently includes installation scripts and hard-coded secrets for deployment. This module results in an
Access Denied error as the users are not granted the appropriate permissions
- Calls the
DescribeInstanceAttributeAPI specifying the
userDataattribute (3) times on a fictitious EC2 Instance.
- Resulting event name:
- Assigned IAM Permission: None
Specify which user this attack should run as.
None - no resources are modified.
- See User Guide for Execution Instructions via the Google Cloud Console
- Programmatically execute this workflow with the following cli command:
Identify when a CloudTrail trail is deleted, through CloudTrail's