Detection: EC2 Key Pair Deleted

Overview

Detect when an EC2 key pair was deleted. Deleting a key pair may disrupt access to instances configured to use the key, potentially leading to operational issues or unauthorized access attempts. Monitoring these actions ensures that key deletions are authorized and do not compromise the availability or security of your instances.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_cloudtrail_log_detections.detection.ec2_key_pair_deleted

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_cloudtrail_log_detections.detection.ec2_key_pair_deleted --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
string_split(event_source, '.')[1] || ':' || event_name as operation,
request_parameters ->> 'keyPairId' as resource,
user_identity.arn as actor,
tp_source_ip as source_ip,
tp_index as account_id,
aws_region as region,
tp_id as source_id,
*

from
  aws_cloudtrail_log
where
  event_source = 'ec2.amazonaws.com'
  and event_name = 'DeleteKeyPair'
  and error_code is null

order by
  tp_timestamp desc;

Detection: EC2 Key Pair Deleted

Overview

Usage

SQL

Tags