If my Amazon EC2 credentials are stolen at time D, can I verify the integrity of the root volume by:
- Lookup the instance in EC2 API, check the time the primary network interface was attached, and use that as system creation time
- Lookup the time the volume was attached
- If the time the system was created is within 10 seconds of the time the root volume was attached, consider the system unmodified.
I'm assuming here that the instance was created before time D.
Another way to ask the question: This situation. I have an instance. I stop the instance. Someone steals (borrows) my AWS credentials, mounts the root volume of that instance to server B, modifies the root volume by adding their SSH key, and remounts it to the original server. How do I know the volume was modified before I boot the original server?
If you want to implement security audit for your EC2 instances, consider using native Windows capabilities such as Security event log ( https://msdn.microsoft.com/en-us/library/windows/desktop/aa385780(v=vs.85).aspx ) in case of using Linux, you can install some trid party auditing tools ( https://cisofy.com/lynis/ )
If it show any suspicious activity such as logins from unknown locations, your instance is compromised.
Also it's recommended to limit an IP address range that can be used as a source IP address in order to connect to your instance. In this case, even if your key is stolen, it won't be possible to connect to your insance from anywhere except your network location.