Blocking cryptomining bills with SCPs
Attackers typically use stolen AWS Access keys to deploy expensive cryptomining ec2 instances, but this can be be blocked with SCPs.
An AWS Service Control Policy (SCP) is a powerful tool that allows organisations to enforce compliance and security policies across their AWS accounts. There are lots of uses for SCPs and they underpin the fantastic AWS Guardrails deployed by Control Tower. By creating and enforcing an SCP, organisations can prevent the creation of unexpected EC2 instances and ensure that only authorised instances are launched in your environment.
Its not uncommon to see organisations scaling their AWS environments with “sandbox” accounts, giving developers free reign to explore and iterate in aws without impacting persistent environments. SCPs allow controls to be pushed down on top of these accounts, limiting their use.
An example SCP might be:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BlockEC2Creation",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": ["t2.micro", "t2.small"]
}
}
}
]
}
As always, you should monitor your AWS environment to ensure that only authorised EC2 instances are being launched. If any unexpected instances are detected, you can use the AWS Management Console or the AWS CLI to terminate them immediately. We partner with Datadog which provides cloud SIEM functionality which is pretty much turnkey and has some fantastic rules, like impossible travel and geofencing.
Whilst an SCP is only one layer on controlling aws accounts it can be effective in preventing unexpected bills from cryptomining attacks leveraging ec2. More mature organisations would benefit from producing more tailored SCPs which define what can be deployed, rather than what cannot.