Skip to content

AuthorizeSecurityGroupIngress

AWS

AuthorizeSecurityGroupIngress

service: AWS - EC2
techniques:

Event

Adds inbound rules to a VPC security group, permitting traffic from specified IP ranges or security groups to reach instances.

Security Context

  • Modifying network security controls can open unauthorized access paths while removing evidence of the original restrictive configuration.

Log Source

CloudTrail

Sample Event

Adversarial. Draco opens SSH (TCP port 22) from anywhere on the internet to a security group attached to OCCAMY pipeline EC2 instances (sg-0occamy00000010). Combined with a previously-injected SSH key (see CreateKeyPair event), this gives him a backup path to those instances independent of session-manager / SSO. The 203.0.113.66 source IP plus the older Pacu-fingerprint user agent makes this event a textbook detection target.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T21:21:53Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupIngress",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"groupId": "sg-0occamy00000010",
"ipPermissions": {
"items": [
{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"groups": {},
"ipRanges": {
"items": [
{
"cidrIp": "0.0.0.0/0"
}
]
},
"ipv6Ranges": {},
"prefixListIds": {}
}
]
}
},
"responseElements": {
"requestId": "90000000-0000-4000-8000-000001111010",
"_return": true,
"securityGroupRuleSet": {
"items": [
{
"securityGroupRuleId": "sgr-0666ssh66666666666",
"groupOwnerId": "555123456789",
"groupId": "sg-0occamy00000010",
"isEgress": false,
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"cidrIpv4": "0.0.0.0/0"
}
]
}
},
"requestID": "90000000-0000-4000-8000-000001111010",
"eventID": "90000000-0000-4000-8000-000001111011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment Initial Access

Techniques:
  • T1686.001 — Cloud Firewall — Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.