Send Slack alerts when large AWS EC2 instances are launched

Once you begin collecting AWS data in Splunk using AWS Addon for AWS, there are a lot of detection capabilities that open up. We will cover the use case of detecting when large EC2 instances are launched, such as instance types 2xlarge, 4xlarge or 8xlarge with or without GPU.

Due to their high CPU and memory specs they are prime targets for bitcoin miners and capturing the launch of such instances can indicate a compromised AWS Access Key. 

Subscribe to Slack