Destroy an EC2 instance¶
An adversary may attempt to teardown/terminate an EC2 instance as part of an attempt to impact service availability.
|instanceid||str||ID of an existing EC2 instance||EC2_ID|
aws ec2 terminate-instances --instance-ids EC2_ID
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:TerminateInstances AND eventSource:*.ec2.amazonaws.com
--- title: Destroy an EC2 instance id: testing status: experimental author: Anela Tiro date: 2023-07-01 description: An adversary may attempt to teardown/terminate an EC2 instance as part of an attempt to impact service availability. logsource: service: cloudtrail detection: selection_source: - eventSource: "*.ec2.amazonaws.com" events: - eventName: "TerminateInstances" condition: selection_source AND events level: low tags: - attack.T1529