AuthorizeSecurityGroupIngress
AWS
AuthorizeSecurityGroupIngress
Event
Adds inbound rules to a VPC security group, permitting traffic from specified IP ranges or security groups to reach instances.
Security Context
- Modifying network security controls can open unauthorized access paths while removing evidence of the original restrictive configuration.
Log Source
CloudTrail
Sample Event
Adversarial. Draco opens SSH (TCP port 22) from anywhere on the internet to a security group attached to OCCAMY pipeline EC2 instances (sg-0occamy00000010). Combined with a previously-injected SSH key (see CreateKeyPair event), this gives him a backup path to those instances independent of session-manager / SSO. The 203.0.113.66 source IP plus the older Pacu-fingerprint user agent makes this event a textbook detection target.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T21:21:53Z", "eventSource": "ec2.amazonaws.com", "eventName": "AuthorizeSecurityGroupIngress", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "groupId": "sg-0occamy00000010", "ipPermissions": { "items": [ { "ipProtocol": "tcp", "fromPort": 22, "toPort": 22, "groups": {}, "ipRanges": { "items": [ { "cidrIp": "0.0.0.0/0" } ] }, "ipv6Ranges": {}, "prefixListIds": {} } ] } }, "responseElements": { "requestId": "90000000-0000-4000-8000-000001111010", "_return": true, "securityGroupRuleSet": { "items": [ { "securityGroupRuleId": "sgr-0666ssh66666666666", "groupOwnerId": "555123456789", "groupId": "sg-0occamy00000010", "isEgress": false, "ipProtocol": "tcp", "fromPort": 22, "toPort": 22, "cidrIpv4": "0.0.0.0/0" } ] } }, "requestID": "90000000-0000-4000-8000-000001111010", "eventID": "90000000-0000-4000-8000-000001111011", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment Initial Access
Techniques:
- T1686.001 — Cloud Firewall — Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.