Skip to main content

AWS GPU Instance Usage Spike

This alert occurs when Lacework detects a sudden unexpected increase in the number of API calls to launch GPU instances for an AWS account is detected.

Why this Alert is Important

This alert could indicate coinminer attacks, misconfigurations, or rare but legitimate GPU usage.

Investigation

Examine the event history to understand the frequency of previous occurrences. This event may also be related to recent changes in an automation module or script.

Examine the request parameters and task being performed when the event was triggered. Is the event caused by an unsuccessful attempt to access objects, data, or secrets? This can be indicative of attempts at discovery, privilege escalation or lateral movement.

Investigate the user. Is this activity part of an expected workflow for the user context?

Consider the source IP address and geolocation of the user. Is the source EC2 IP address associated with an EC2 instance in one of your accounts? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?

Resolution

Examine the metrics on your instance. Correlate any CPU usage spikes to processes running at the time to determine whether the spike is associated with planned or known activity.