EC2 Instance Connect abuse: an out-of-band shell with no key to rotate
Push a 60-second SSH key with one IAM call and you get a shell with no persistent key on the host. Rotating the host key pair does nothing.
An attacker can get a shell on your instance without ever leaving a key behind, then walk that shell into your cloud account.
How the attack works
An attacker with the right IAM permission calls ec2-instance-connect:SendSSHPublicKey to push an ephemeral, roughly 60-second SSH public key to a running instance, then connects, getting an out-of-band shell with no long-lived key on the host. The same principal can enable the EC2 Serial Console for another direct path. Inside the shell, the session queries the instance metadata service for the instance role’s temporary credentials and reuses them to call S3 and Parameter Store beyond the instance’s normal pattern. CloudTrail records the SendSSHPublicKey call and the instance-role API calls. In ATT&CK terms this is T1021, Remote Services, leading to unsecured-credential theft (T1552).
Why it works
The access is granted by an IAM permission, not a key persisted on the host, so the ephemeral key expires on its own and there is nothing on disk to find. Broad Instance Connect and serial-console permissions, plus easily harvestable instance-role credentials, turn one push into cloud reach. The root cause is over-broad out-of-band access permissions.
How to fix it
The non-obvious move is that rotating the host key pair does nothing, because Instance Connect supplies its own ephemeral key; the attacker simply pushes another. Isolate the instance, revoke the principal’s ec2-instance-connect and serial-console permissions, and disable the serial console at the account level. Treat the instance-role credentials as compromised and rotate them and everything they could reach. Reconstruct the session by tying the SendSSHPublicKey event to the instance-role API calls and host logs in the window. Then scope those permissions to a minimal operator set and require IMDSv2 to limit metadata credential theft.
Practice it
We built this as a GraphLattice Range scenario so responders learn that the IAM permission, not a host key, is the access path, and practice cutting it and rotating instance-role credentials.