CreateAssociation
Event
Creates an SSM State Manager association, binding a document to instances for persistent or scheduled command execution.
Security Context
- SSM associations execute documents on a schedule or on instance state changes, providing a durable persistence mechanism that survives instance reboots and re-deployments.
- Adversaries abuse State Manager associations to maintain command execution across fleets of instances without needing direct network access.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1053 — Scheduled Task/Job — Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time.