TL;DR
- A sudden AWS cost spike is often a security signal – not just a finance anomaly.
- Crypto mining in AWS typically follows compromised IAM credentials and over-permissive roles.
- Detect early with GuardDuty and CloudTrail, prevent abuse with SCPs and least privilege, and automate containment to reduce blast radius.
There’s a cloud incident that starts with cost, not data loss. A compromised IAM access key. A burst of unusual API calls. Spikes in EC2, ECS, Fargate or Lambda. Then a bill that looks nothing like yesterday. AWS has warned that unauthorized crypto mining in cloud environments is now a top security risk – not merely a FinOps problem.
Why a Cost Spike is a Security Problem
Crypto mining almost always means an attacker can already operate your control plane. If they can launch EC2 instances, register ECS tasks, scale Auto Scaling groups, modify EC2 attributes, or expose unauthenticated Lambda Function URLs, you do not have an “unexpected cost” – you have live abuse of AWS resources and identity.
Typical Root Causes and Gaps
- Identity compromise and leaked access keys.
- Excessive IAM permissions and weak role trust policies.
- Gaps in GuardDuty or CloudTrail coverage.
- Unconstrained service quotas across regions.
- Missing automated response and containment.
- Persistence mechanisms are planted for re-entry.
What AWS Crypto Mining Looks Like
Common indicators across accounts and regions:
- Identity and API anomalies: CreateAccessKey, unusual AssumeRole targets, ConsoleLogin from new geographies, bursts of RunInstances, Create Launch Template, Create Fleet, Create Auto Scaling Group, Register Task Definition, Run Task, Update Service, Create Function Url Config.
- Compute signals: Surges in EC2 (especially GPU and compute-optimized families), sharp Fargate vCPU-hour growth, ECS tasks scaling without a normal deployment, Lambda concurrency spikes.
- Network and DNS egress: Repeated connections to mining pools, suspicious domains flagged by GuardDuty CryptoCurrency findings, new egress patterns from private subnets.
Detect Early, in Every Account and Region
- Amazon GuardDuty: Enable in all regions and aggregate findings to an AWS Organizations delegated admin. Treat CryptoCurrency, UnauthorizedAccess: IAM User, and anomalous API findings as page-worthy.
- AWS CloudTrail: Run organization-level, multi-region trails with S3 Object Lock; use CloudTrail Lake or Athena to hunt.
- High-signal API monitoring:
- Compute: RunInstances, CreateLaunchTemplate, CreateFleet, Create Auto Scaling Group, Update Auto Scaling Group, Register Task Definition, Run Task, Put Scaling Policy.
- IAM: CreateAccessKey, AttachUserPolicy, PutUserPolicy, PassRole, UpdateAssumeRolePolicy.
- Centralize alerts: Use AWS Security Hub and route to your SIEM, Slack, or PagerDuty.
- Lambda: Create Function Url Config, Update Function Url Config, especially when Auth Type is NONE.
- Compute: RunInstances, CreateLaunchTemplate, CreateFleet, Create Auto Scaling Group, Update Auto Scaling Group, Register Task Definition, Run Task, Put Scaling Policy.
Prevent Abuse with Prescriptive Guardrails
- Service Control Policies (SCPs):
- Deny unapproved regions (Condition: aws:RequestedRegion).
- Deny lambda: Create Function Url Config when AuthType is NONE; require IAM auth.
- Deny ec2:RunInstances for unapproved instance families – especially g* and p* GPUs. Enforce approved AMIs and mandatory tags.
- Deny IAM: Create Access Key for human users. Prefer AWS IAM Identity Center (SSO) and short-lived credentials.
- Least Privilege by Design:
- Replace IAM users with federated SSO. Require MFA. Use permission boundaries for CI/CD and automation roles.
- Scope PassRole to specific roles and services. Remove wildcard actions and resources.
- Network Egress Control:
- Centralize outbound traffic through egress VPCs and restrict it with firewalls or NACLs.
- Block known mining pool domains or IP ranges where feasible. Alert on new ASNs and unusual ports.
- Harden Defaults:
- Private ECR only with image scanning. VPC-only Lambda for sensitive workloads.
- Protect logs from tampering. Lock GuardDuty and CloudTrail configuration changes to security admins.
Limit Blast Radius with Right-Sized Quotas
- Review and cap sensitive quotas per region: EC2 On-Demand instances (especially GPU families), Fargate vCPU counts, and ECS task limits.
- AWS Lambda account-level and per-function concurrency.
- Reduce quotas in unused regions and pair with region-deny SCPs.
- Tune AWS Cost Anomaly Detection and Budgets with thresholds per environment and route alerts to Security – not just Finance.
Automate the First 15 Minutes of Response
Event-driven containment playbooks (AWS EventBridge or SOAR):
- Identity: Disable newly created IAM access keys. Quarantine suspicious users or roles.
- Account: Apply a quarantine SCP to the affected account that denies new compute and network changes except for responders.
- EC2: Attach a quarantine security group that blocks egress, detach instance profiles, snapshot EBS, then stop or terminate.
- ECS/EKS: Scale services to zero, stop tasks or pods, cordon nodes.
- Lambda: Remove or lock Function URLs, set reserved concurrency to zero for suspect functions.
- Evidence: Snapshot EBS, capture instance metadata and user data, export relevant GuardDuty and CloudTrail records.
Hunt for Persistence and Privilege Escalation
Review the last 7–30 days for:
- New IAM users, keys, inline policies, and unusual PassRole links.
- Modified instance profiles and trust policies that allow external principals.
- EventBridge schedules, SSM documents, Lambda URLs, and CodeBuild projects that can respawn compute.
- Backdoor networking changes – new NATs, internet gateways, peering, or Transit Gateway attachments.
- Rotate credentials, invalidate sessions, and rebuild compromised workloads from known-good images.
Security plus FinOps – Connect the Dots
Cost telemetry becomes high-signal security data when wired to a response:
- AWS Cost Anomaly Detection -> EventBridge -> Security orchestration -> Containment.
- Environment-aware budgets to catch surges within hours – not weeks.
- Account vending, tagging, and an OU structure that separates experimental from regulated environments so quotas and SCPs match risk.
Quick Checklist for Leaders
- GuardDuty and CloudTrail are enabled organization-wide in all regions with routed alerts.
- SCPs blocking risky regions, GPU families, and unauthenticated Lambda Function URLs.
- IAM modernization: federation first, permission boundaries, no human access keys, MFA required.
- Service quotas are tuned to the minimum necessary; unused regions are effectively off.
- Cost anomalies are treated as security alerts with automated first actions.
- Playbooks documented and tested – responders can quarantine in minutes.
FAQ
What is crypto mining in AWS? Unauthorized use of AWS compute services like EC2, ECS, Fargate, or Lambda to mine cryptocurrency, usually after IAM credential compromise.
What are the top indicators of AWS crypto mining? Sudden cost spikes, GuardDuty CryptoCurrency findings, bursts of RunInstances or RegisterTaskDefinition, creation of Lambda Function URLs with unauthenticated access, and unusual outbound traffic to mining pools.
How do I stop crypto mining in AWS fast? Quarantine with SCPs that deny new compute, disable newly created access keys, block egress on suspicious instances, scale ECS/EKS services to zero, and cap Lambda concurrency while preserving evidence.
Which AWS controls prevent crypto mining? GuardDuty, organization-wide CloudTrail, SCPs for regions and instance families, least privilege IAM with SSO, strict service quotas, and automated incident response.
The Bottom Line
Crypto mining is not just stolen CPU – it is evidence that attackers can abuse your cloud faster than humans can investigate. In AWS, visibility matters – but prevention, strong identity controls, right-sized quotas, and automated responses shrink the blast radius. Do not let the invoice become your SIEM.
Check your own Security Gap
Cloudride designs and implements AWS guardrails, multi-account security architectures, and automated incident response tailored to your risk profile. If you want an assessment of your exposure to crypto mining or a rapid uplift of your AWS SecOps posture.
