I'm curious about a Python script named "main_entrance_cross_account.py" that ran on one of our EC2 instances. It maxed out CPU usage at 100% for under a minute, and I'm unsure what its purpose is. I couldn't find any information about it online, so does anyone know what this script is supposed to do?
4 Answers
Are you part of a larger organization? Sometimes they run scripts for system hardening that aren't widely documented. Make sure you check for any interesting cloud formation stacks that might be running as well. Also, it’s worth considering the possibility that this could be malicious activity, so keep an eye on permissions and roles—especially those that might be too permissive.
That script is definitely not something standard that AWS provides. If you can, show us what the contents of the script are. It could give more insight into what it's doing and why it spiked CPU usage so high.
Dropping the contents of the Python file might reveal its true intent. The name alone sounds suspicious—kind of like a hacker tool that enables full access across multiple accounts. Better to be safe and inspect it closely!
It sounds like that script might not be an official AWS tool. Have you checked if it's something from a security vendor or possibly a custom script your organization uses? Getting a look at the script's code would really help clarify things. Maybe share a snippet here if you can?
It's built from our private AMI. We don't own the script, and I've never encountered it before. It might be part of a package, but it's concerning since I couldn't find it anywhere on the filesystem.