Suspicious activity

Anomaly detection: Unusual amount of EC2 deletions and unusual cross account activity

Risk Level

Hazardous (3)



Unlike in the past, the role deleted an unusual amount of ec2 instances. The role was assumed by an identity from external cloud account. Those findings might indicate on a malicious usage of the role permissions.
  • Recommended Mitigation

    It is recommended to review the relevant CloudTrail events and principals that issued this API calls, and the instances that were deleted