docs.aws.amazon.com Open in urlscan Pro
18.66.147.89  Public Scan

URL: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html
Submission: On April 17 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice

.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English


Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. Amazon GuardDuty
 5. Amazon GuardDuty User Guide

Feedback
Preferences


AMAZON GUARDDUTY


AMAZON GUARDDUTY USER GUIDE

 * What is GuardDuty?
 * Getting started
 * Concepts and terminology
 * GuardDuty features activation
    * GuardDuty API changes

 * Foundational data sources
 * GuardDuty EKS Protection
    * Features in EKS Protection
    * EKS Audit Log Monitoring
    * EKS Runtime Monitoring
       * Configuring EKS Runtime Monitoring
       * Managing GuardDuty agent manually
       * Coverage
       * Runtime event types
       * EKS add-on agent release history

 * GuardDuty Malware Protection
    * Features
    * Customizations in Malware Protection
    * GuardDuty findings that initiate Malware Protection scans
    * Monitoring malware scan statuses and results
    * Malware Protection quotas

 * GuardDuty RDS Protection
    * Features

 * GuardDuty S3 Protection
    * Features

 * Understanding findings
    * Finding details
    * GuardDuty finding format
    * Sample findings

 * Finding types
    * EC2 finding types
    * IAM finding types
    * Kubernetes audit logs finding types
    * EKS Runtime Monitoring finding types
    * Malware Protection finding types
    * RDS Protection finding types
    * S3 finding types
    * Retired finding types

 * Managing findings
    * Filtering findings
    * Suppression rules
    * Trusted and threat IP lists
    * Exporting findings
    * Automating responses with CloudWatch Events
    * Understanding CloudWatch Logs and reasons for skipping resources
    * Reporting false positives in Malware Protection

 * Remediating findings
    * Remediating EKS Audit Log Monitoring findings
    * Remediating EKS Runtime Monitoring findings
    * Remediating a compromised database

 * Managing multiple accounts
    * Managing accounts with AWS Organizations
    * Managing accounts by invitation

 * Estimating cost
 * Security
    * Data protection
       * Encryption at rest
       * Encryption in transit
       * Opting out of using your data for service improvement
   
    * Logging with CloudTrail
       * Example: GuardDuty log file entries
   
    * Identity and Access Management
       * How AWS GuardDuty works with IAM
       * Identity-based policy examples
       * Using service-linked roles
          * Service-linked role permissions for GuardDuty
          * Service-linked role permissions for GuardDuty Malware Protection
      
       * Troubleshooting
       * AWS managed policies
   
    * Compliance validation
    * Resilience
    * Infrastructure security

 * GuardDuty integrations
    * Security Hub integration
    * Detective integration

 * Suspending or disabling
 * GuardDuty announcements
 * Quotas
 * Troubleshooting
 * Regions and endpoints
 * Document history
 * AWS glossary

GuardDuty IAM finding types - Amazon GuardDuty
AWSDocumentationAmazon GuardDutyAmazon GuardDuty User Guide
CredentialAccess:IAMUser/AnomalousBehaviorDefenseEvasion:IAMUser/AnomalousBehaviorDiscovery:IAMUser/AnomalousBehaviorExfiltration:IAMUser/AnomalousBehaviorImpact:IAMUser/AnomalousBehaviorInitialAccess:IAMUser/AnomalousBehaviorPenTest:IAMUser/KaliLinuxPenTest:IAMUser/ParrotLinuxPenTest:IAMUser/PentooLinuxPersistence:IAMUser/AnomalousBehaviorPolicy:IAMUser/RootCredentialUsagePrivilegeEscalation:IAMUser/AnomalousBehaviorRecon:IAMUser/MaliciousIPCallerRecon:IAMUser/MaliciousIPCaller.CustomRecon:IAMUser/TorIPCallerStealth:IAMUser/CloudTrailLoggingDisabledStealth:IAMUser/PasswordPolicyChangeUnauthorizedAccess:IAMUser/ConsoleLoginSuccess.BUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWSUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWSUnauthorizedAccess:IAMUser/MaliciousIPCallerUnauthorizedAccess:IAMUser/MaliciousIPCaller.CustomUnauthorizedAccess:IAMUser/TorIPCaller


GUARDDUTY IAM FINDING TYPES

PDFRSS

The following findings are specific to IAM entities and access keys and always
have a Resource Type of AccessKey. The severity and details of the findings
differ based on the finding type.

The findings listed here include the data sources and models used to generate
that finding type. For more information, see Foundational data sources.

For all IAM-related findings, we recommend that you examine the entity in
question and ensure that their permissions follow the best practice of least
privilege. If the activity is unexpected, the credentials may be compromised.
For information about remediating findings, see Remediating compromised AWS
credentials.

TOPICS

 * CredentialAccess:IAMUser/AnomalousBehavior
 * DefenseEvasion:IAMUser/AnomalousBehavior
 * Discovery:IAMUser/AnomalousBehavior
 * Exfiltration:IAMUser/AnomalousBehavior
 * Impact:IAMUser/AnomalousBehavior
 * InitialAccess:IAMUser/AnomalousBehavior
 * PenTest:IAMUser/KaliLinux
 * PenTest:IAMUser/ParrotLinux
 * PenTest:IAMUser/PentooLinux
 * Persistence:IAMUser/AnomalousBehavior
 * Policy:IAMUser/RootCredentialUsage
 * PrivilegeEscalation:IAMUser/AnomalousBehavior
 * Recon:IAMUser/MaliciousIPCaller
 * Recon:IAMUser/MaliciousIPCaller.Custom
 * Recon:IAMUser/TorIPCaller
 * Stealth:IAMUser/CloudTrailLoggingDisabled
 * Stealth:IAMUser/PasswordPolicyChange
 * UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B
 * UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS
 * UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS
 * UnauthorizedAccess:IAMUser/MaliciousIPCaller
 * UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom
 * UnauthorizedAccess:IAMUser/TorIPCaller


CREDENTIALACCESS:IAMUSER/ANOMALOUSBEHAVIOR


AN API USED TO GAIN ACCESS TO AN AWS ENVIRONMENT WAS INVOKED IN AN ANOMALOUS
WAY.

Default severity: Medium

 * Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your
account. This finding may include a single API or a series of related API
requests made in proximity by a single user identity. The API observed is
commonly associated with the credential access stage of an attack when an
adversary is attempting to collect passwords, usernames, and access keys for
your environment. The APIs in this category are GetPasswordData, GetSecretValue,
and GenerateDbAuthToken.

This API request was identified as anomalous by GuardDuty's anomaly detection
machine learning (ML) model. The ML model evaluates all API requests in your
account and identifies anomalous events that are associated with techniques used
by adversaries. The ML model tracks various factors of the API request, such as,
the user that made the request, the location the request was made from, and the
specific API that was requested. Details on which factors of the API request are
unusual for the user identity that invoked the request can be found in the
finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


DEFENSEEVASION:IAMUSER/ANOMALOUSBEHAVIOR


AN API USED TO EVADE DEFENSIVE MEASURES WAS INVOKED IN AN ANOMALOUS WAY.

Default severity: Medium

 * Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your
account. This finding may include a single API or a series of related API
requests made in proximity by a single user identity. The API observed is
commonly associated with defense evasion tactics where an adversary is trying to
cover their tracks and avoid detection. APIs in this category are typically
delete, disable, or stop operations, such as, DeleteFlowLogs,
DisableAlarmActions, or StopLogging.

This API request was identified as anomalous by GuardDuty's anomaly detection
machine learning (ML) model. The ML model evaluates all API requests in your
account and identifies anomalous events that are associated with techniques used
by adversaries. The ML model tracks various factors of the API request, such as,
the user that made the request, the location the request was made from, and the
specific API that was requested. Details on which factors of the API request are
unusual for the user identity that invoked the request can be found in the
finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


DISCOVERY:IAMUSER/ANOMALOUSBEHAVIOR


AN API COMMONLY USED TO DISCOVER RESOURCES WAS INVOKED IN AN ANOMALOUS WAY.

Default severity: Low

 * Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your
account. This finding may include a single API or a series of related API
requests made in proximity by a single user identity. The API observed is
commonly associated with the discovery stage of an attack when an adversary is
gathering information to determine if your AWS environment is susceptible to a
broader attack. APIs in this category are typically get, describe, or list
operations, such as, DescribeInstances, GetRolePolicy, or ListAccessKeys.

This API request was identified as anomalous by GuardDuty's anomaly detection
machine learning (ML) model. The ML model evaluates all API requests in your
account and identifies anomalous events that are associated with techniques used
by adversaries. The ML model tracks various factors of the API request, such as,
the user that made the request, the location the request was made from, and the
specific API that was requested. Details on which factors of the API request are
unusual for the user identity that invoked the request can be found in the
finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


EXFILTRATION:IAMUSER/ANOMALOUSBEHAVIOR


AN API COMMONLY USED TO COLLECT DATA FROM AN AWS ENVIRONMENT WAS INVOKED IN AN
ANOMALOUS WAY.

Default severity: High

 * Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your
account. This finding may include a single API or a series of related API
requests made in proximity by a single user identity. The API observed is
commonly associated with exfiltration tactics where an adversary is trying to
collect data from your network using packaging and encryption to avoid
detection. APIs for this finding type are management (control-plane) operations
only and are typically related to S3, snapshots, and databases, such as,
PutBucketReplication, CreateSnapshot, or RestoreDBInstanceFromDBSnapshot.

This API request was identified as anomalous by GuardDuty's anomaly detection
machine learning (ML) model. The ML model evaluates all API requests in your
account and identifies anomalous events that are associated with techniques used
by adversaries. The ML model tracks various factors of the API request, such as,
the user that made the request, the location the request was made from, and the
specific API that was requested. Details on which factors of the API request are
unusual for the user identity that invoked the request can be found in the
finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


IMPACT:IAMUSER/ANOMALOUSBEHAVIOR


AN API COMMONLY USED TO TAMPER WITH DATA OR PROCESSES IN AN AWS ENVIRONMENT WAS
INVOKED IN AN ANOMALOUS WAY.

Default severity: High

 * Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your
account. This finding may include a single API or a series of related API
requests made in proximity by a single user identity. The API observed is
commonly associated with impact tactics where an adversary is trying to disrupt
operations and manipulate, interrupt, or destroy data in your account. APIs for
this finding type are typically delete, update, or put operations, such as,
DeleteSecurityGroup, UpdateUser, or PutBucketPolicy.

This API request was identified as anomalous by GuardDuty's anomaly detection
machine learning (ML) model. The ML model evaluates all API requests in your
account and identifies anomalous events that are associated with techniques used
by adversaries. The ML model tracks various factors of the API request, such as,
the user that made the request, the location the request was made from, and the
specific API that was requested. Details on which factors of the API request are
unusual for the user identity that invoked the request can be found in the
finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


INITIALACCESS:IAMUSER/ANOMALOUSBEHAVIOR


AN API COMMONLY USED TO GAIN UNAUTHORIZED ACCESS TO AN AWS ENVIRONMENT WAS
INVOKED IN AN ANOMALOUS WAY.

Default severity: Medium

 * Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your
account. This finding may include a single API or a series of related API
requests made in proximity by a single user identity. The API observed is
commonly associated with the initial access stage of an attack when an adversary
is attempting to establish access to your environment. APIs in this category are
typically get token, or session operations, such as, GetFederationToken,
StartSession, or GetAuthorizationToken.

This API request was identified as anomalous by GuardDuty's anomaly detection
machine learning (ML) model. The ML model evaluates all API requests in your
account and identifies anomalous events that are associated with techniques used
by adversaries. The ML model tracks various factors of the API request, such as,
the user that made the request, the location the request was made from, and the
specific API that was requested. Details on which factors of the API request are
unusual for the user identity that invoked the request can be found in the
finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


PENTEST:IAMUSER/KALILINUX


AN API WAS INVOKED FROM A KALI LINUX EC2 MACHINE.

Default severity: Medium

 * Data source: CloudTrail management event

This finding informs you that a machine running Kali Linux is making API calls
using credentials that belong to the listed AWS account in your environment.
Kali Linux is a popular penetration testing tool that security professionals use
to identify weaknesses in EC2 instances that require patching. Attackers also
use this tool to find EC2 configuration weaknesses and gain unauthorized access
to your AWS environment.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


PENTEST:IAMUSER/PARROTLINUX


AN API WAS INVOKED FROM A PARROT SECURITY LINUX MACHINE.

Default severity: Medium

 * Data source: CloudTrail management event

This finding informs you that a machine running Parrot Security Linux is making
API calls using credentials that belong to the listed AWS account in your
environment. Parrot Security Linux is a popular penetration testing tool that
security professionals use to identify weaknesses in EC2 instances that require
patching. Attackers also use this tool to find EC2 configuration weaknesses and
gain unauthorized access to your AWS environment.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


PENTEST:IAMUSER/PENTOOLINUX


AN API WAS INVOKED FROM A PENTOO LINUX MACHINE.

Default severity: Medium

 * Data source: CloudTrail management event

This finding informs you that a machine running Pentoo Linux is making API calls
using credentials that belong to the listed AWS account in your environment.
Pentoo Linux is a popular penetration testing tool that security professionals
use to identify weaknesses in EC2 instances that require patching. Attackers
also use this tool to find EC2 configuration weaknesses and gain unauthorized
access to your AWS environment.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


PERSISTENCE:IAMUSER/ANOMALOUSBEHAVIOR


AN API COMMONLY USED TO MAINTAIN UNAUTHORIZED ACCESS TO AN AWS ENVIRONMENT WAS
INVOKED IN AN ANOMALOUS WAY.

Default severity: Medium

 * Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your
account. This finding may include a single API or a series of related API
requests made in proximity by a single user identity. The API observed is
commonly associated with persistence tactics where an adversary has gained
access to your environment and is attempting to maintain that access. APIs in
this category are typically create, import, or modify operations, such as,
CreateAccessKey, ImportKeyPair, or ModifyInstanceAttribute.

This API request was identified as anomalous by GuardDuty's anomaly detection
machine learning (ML) model. The ML model evaluates all API requests in your
account and identifies anomalous events that are associated with techniques used
by adversaries. The ML model tracks various factors of the API request, such as,
the user that made the request, the location the request was made from, and the
specific API that was requested. Details on which factors of the API request are
unusual for the user identity that invoked the request can be found in the
finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


POLICY:IAMUSER/ROOTCREDENTIALUSAGE


AN API WAS INVOKED USING ROOT USER SIGN-IN CREDENTIALS.

Default severity: Low

 * Data source: CloudTrail management events or CloudTrail data events

This finding informs you that the root user sign-in credentials of the listed
AWS account in your environment are being used to make requests to AWS services.
It is recommended that users never use root user sign-in credentials to access
AWS services. Instead, AWS services should be accessed using least privilege
temporary credentials from AWS Security Token Service (STS). For situations
where AWS STS is not supported, IAM user credentials are recommended. For more
information, see IAM Best Practices.

NOTE

If S3 threat detection is enabled for the account this finding may be generated
in response to attempts to run S3 data plane operations on S3 resources using
the root user sign-in credentials of the AWS account. The API call used will be
listed in the finding details. If S3 threat detection is not enabled this
finding can only be triggered by Event log APIs. For more information about S3
threat detection, see S3 protection.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


PRIVILEGEESCALATION:IAMUSER/ANOMALOUSBEHAVIOR


AN API COMMONLY USED TO OBTAIN HIGH-LEVEL PERMISSIONS TO AN AWS ENVIRONMENT WAS
INVOKED IN AN ANOMALOUS WAY.

Default severity: Medium

 * Data source: CloudTrail management events

This finding informs you that an anomalous API request was observed in your
account. This finding may include a single API or a series of related API
requests made in proximity by a single user identity. The API observed is
commonly associated with privilege escalation tactics where an adversary is
attempting to gain higher-level permissions to an environment. APIs in this
category typically involve operations that change IAM policies, roles, and
users, such as, AssociateIamInstanceProfile, AddUserToGroup, or PutUserPolicy.

This API request was identified as anomalous by GuardDuty's anomaly detection
machine learning (ML) model. The ML model evaluates all API requests in your
account and identifies anomalous events that are associated with techniques used
by adversaries. The ML model tracks various factors of the API request, such as,
the user that made the request, the location the request was made from, and the
specific API that was requested. Details on which factors of the API request are
unusual for the user identity that invoked the request can be found in the
finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


RECON:IAMUSER/MALICIOUSIPCALLER


AN API WAS INVOKED FROM A KNOWN MALICIOUS IP ADDRESS.

Default severity: Medium

 * Data source: CloudTrail management events

This finding informs you that an API operation that can list or describe AWS
resources in an account within your environment was invoked from an IP address
that is included on a threat list. An attacker may use stolen credentials to
perform this type of reconnaissance of your AWS resources in order to find more
valuable credentials or determine the capabilities of the credentials they
already have.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


RECON:IAMUSER/MALICIOUSIPCALLER.CUSTOM


AN API WAS INVOKED FROM A KNOWN MALICIOUS IP ADDRESS.

Default severity: Medium

 * Data source: CloudTrail management events

This finding informs you that an API operation that can list or describe AWS
resources in an account within your environment was invoked from an IP address
that is included on a custom threat list. The threat list used will be listed in
the finding's details. An attacker might use stolen credentials to perform this
type of reconnaissance of your AWS resources in order to find more valuable
credentials or determine the capabilities of the credentials they already have.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


RECON:IAMUSER/TORIPCALLER


AN API WAS INVOKED FROM A TOR EXIT NODE IP ADDRESS.

Default severity: Medium

 * Data source: CloudTrail management events

This finding informs you that an API operation that can list or describe AWS
resources in an account within your environment was invoked from a Tor exit node
IP address. Tor is software for enabling anonymous communication. It encrypts
and randomly bounces communications through relays between a series of network
nodes. The last Tor node is called the exit node. An attacker would use Tor to
mask their true identity.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


STEALTH:IAMUSER/CLOUDTRAILLOGGINGDISABLED


AWS CLOUDTRAIL LOGGING WAS DISABLED.

Default severity: Low

 * Data source: CloudTrail management events

This finding informs you that a CloudTrail trail within your AWS environment was
disabled. This can be an attacker's attempt to disable logging to cover their
tracks by eliminating any trace of their activity while gaining access to your
AWS resources for malicious purposes. This finding can be triggered by a
successful deletion or update of a trail. This finding can also be triggered by
a successful deletion of an S3 bucket that stores the logs from a trail that is
associated with GuardDuty.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


STEALTH:IAMUSER/PASSWORDPOLICYCHANGE


ACCOUNT PASSWORD POLICY WAS WEAKENED.

Default severity: Low*

NOTE

This finding's severity can be Low, Medium, or High depending on the severity of
the changes made to password policy.

 * Data source: CloudTrail management events

The AWS account password policy was weakened on the listed account within your
AWS environment. For example, it was deleted or updated to require fewer
characters, not require symbols and numbers, or required to extend the password
expiration period. This finding can also be triggered by an attempt to update or
delete your AWS account password policy. The AWS account password policy defines
the rules that govern what kinds of passwords can be set for your IAM users. A
weaker password policy permits the creation of passwords that are easy to
remember and potentially easier to guess, thereby creating a security risk.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


UNAUTHORIZEDACCESS:IAMUSER/CONSOLELOGINSUCCESS.B


MULTIPLE WORLDWIDE SUCCESSFUL CONSOLE LOGINS WERE OBSERVED.

Default severity: Medium

 * Data source: CloudTrail management events

This finding informs you that multiple successful console logins for the same
IAM user were observed around the same time in various geographical locations.
Such anomalous and risky access location patterns indicate potential
unauthorized access to your AWS resources.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


UNAUTHORIZEDACCESS:IAMUSER/INSTANCECREDENTIALEXFILTRATION.INSIDEAWS


CREDENTIALS THAT WERE CREATED EXCLUSIVELY FOR AN EC2 INSTANCE THROUGH AN
INSTANCE LAUNCH ROLE ARE BEING USED FROM ANOTHER ACCOUNT WITHIN AWS.

Default severity: High*

NOTE

This finding's default severity is High. However, if the API was invoked by an
account affiliated with your AWS environment, the severity is Medium.

 * Data source: CloudTrail management events or S3 data events

This finding informs you when your EC2 instance credentials are used to invoke
APIs from an IP address that is owned by a different AWS account than the one
that the associated EC2 instance is running in.

AWS does not recommend redistributing temporary credentials outside of the
entity that created them (for example, AWS applications, EC2, or Lambda).
However, authorized users can export credentials from their EC2 instances to
make legitimate API calls. If the remoteAccountDetails.Affiliated field is True
the API was invoked from an account associated with your AWS environment. To
rule out a potential attack and verify the legitimacy of the activity, contact
the IAM user to whom these credentials are assigned.

Remediation recommendations:

In response to this finding you can use the following workflow to determine a
course of action:

 1. Identify the remote account involved from the
    service.action.awsApiCallAction.remoteAccountDetails.accountId field.

 2. Next determine if that account is affiliated with your GuardDuty environment
    from the service.action.awsApiCallAction.remoteAccountDetails.affiliated
    field.

 3. If the account is affiliated, contact the remote account owner, and the
    owner of the EC2 instance credentials to investigate.

 4. If the account is not affiliated, first evaluate is that account is
    associated with your organization but is not a part of your GuardDuty
    multi-account set up, or if GuardDuty has not yet been enabled in the
    account. Otherwise contact the owner of the EC2 credentials to determine if
    there is a use case for a remote account to use these credentials.

 5. If the owner of the credentials does not recognize the remote account the
    credentials may have been compromised by a threat actor operating within
    AWS. You should take the steps recommended in Remediating a compromised EC2
    instance to secure your environment. Additionally you can submit an abuse
    report to the AWS Trust and Safety team to begin an investigation into the
    remote account. When submitting your report to AWS Trust and Safety please
    include the full JSON details of the finding.


UNAUTHORIZEDACCESS:IAMUSER/INSTANCECREDENTIALEXFILTRATION.OUTSIDEAWS


CREDENTIALS THAT WERE CREATED EXCLUSIVELY FOR AN EC2 INSTANCE THROUGH AN
INSTANCE LAUNCH ROLE ARE BEING USED FROM AN EXTERNAL IP ADDRESS.

Default severity: High

 * Data source: CloudTrail management events or S3 data events

This finding informs you that a host outside of AWS has attempted to run AWS API
operations using temporary AWS credentials that were created on an EC2 instance
in your AWS environment. The listed EC2 instance might be compromised, and the
temporary credentials from this instance might have been exfiltrated to a remote
host outside of AWS. AWS does not recommend redistributing temporary credentials
outside of the entity that created them (for example, AWS applications, EC2, or
Lambda). However, authorized users can export credentials from their EC2
instances to make legitimate API calls. To rule out a potential attack and
verify the legitimacy of the activity, validate if the use of instance
credentials from the remote IP in the finding is expected.

Remediation recommendations:

This finding is generated when networking is configured to route internet
traffic such that it egresses from an on-premises gateway rather than from a VPC
Internet Gateway (IGW). Common configurations, such as using AWS Outposts, or
VPC VPN connections, can result in traffic routed this way. If this is expected
behavior, we recommend that you use suppression rules and create a rule that
consists of two filter criteria. The first criteria is finding type, which
should be UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS.
The second filter criteria is API caller IPv4 Address with the IP address or
CIDR range of your on-premises internet gateway. To learn more about creating
suppression rules see Suppression rules.

NOTE

If GuardDuty observes continued activity from an external source its machine
learning model will identify this as expected behavior and stop generating this
finding for activity from that source. GuardDuty will continue to generate
findings for new behavior from other sources, and will reevaluate learned
sources as behavior changes over time.

If this activity is unexpected your credentials may be compromised, see
Remediating compromised AWS credentials.


UNAUTHORIZEDACCESS:IAMUSER/MALICIOUSIPCALLER


AN API WAS INVOKED FROM A KNOWN MALICIOUS IP ADDRESS.

Default severity: Medium

 * Data source: CloudTrail management events

This finding informs you that an API operation (for example, an attempt to
launch an EC2 instance, create a new IAM user, or modify your AWS privileges)
was invoked from a known malicious IP address. This can indicate unauthorized
access to AWS resources within your environment.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


UNAUTHORIZEDACCESS:IAMUSER/MALICIOUSIPCALLER.CUSTOM


AN API WAS INVOKED FROM AN IP ADDRESS ON A CUSTOM THREAT LIST.

Default severity: Medium

 * Data source: CloudTrail management events

This finding informs you that an API operation (for example, an attempt to
launch an EC2 instance, create a new IAM user, or modify AWS privileges) was
invoked from an IP address that is included on a threat list that you uploaded.
In , a threat list consists of known malicious IP addresses. This can indicate
unauthorized access to AWS resources within your environment.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.


UNAUTHORIZEDACCESS:IAMUSER/TORIPCALLER


AN API WAS INVOKED FROM A TOR EXIT NODE IP ADDRESS.

Default severity: Medium

 * Data source: CloudTrail management events

This finding informs you that an API operation (for example, an attempt to
launch an EC2 instance, create a new IAM user, or modify your AWS privileges)
was invoked from a Tor exit node IP address. Tor is software for enabling
anonymous communication. It encrypts and randomly bounces communications through
relays between a series of network nodes. The last Tor node is called the exit
node. This can indicate unauthorized access to your AWS resources with the
intent of hiding the attacker's true identity.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more
information, see Remediating compromised AWS credentials.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
EC2 finding types
Kubernetes audit logs finding types
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Did this page help you?
Yes
No
Provide feedback
Edit this page on GitHub 
Next topic:Kubernetes audit logs finding types
Previous topic:EC2 finding types
Need help?
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.


ON THIS PAGE

--------------------------------------------------------------------------------

 * CredentialAccess:IAMUser/AnomalousBehavior
 * DefenseEvasion:IAMUser/AnomalousBehavior
 * Discovery:IAMUser/AnomalousBehavior
 * Exfiltration:IAMUser/AnomalousBehavior
 * Impact:IAMUser/AnomalousBehavior
 * InitialAccess:IAMUser/AnomalousBehavior
 * PenTest:IAMUser/KaliLinux
 * PenTest:IAMUser/ParrotLinux
 * PenTest:IAMUser/PentooLinux
 * Persistence:IAMUser/AnomalousBehavior
 * Policy:IAMUser/RootCredentialUsage
 * PrivilegeEscalation:IAMUser/AnomalousBehavior
 * Recon:IAMUser/MaliciousIPCaller
 * Recon:IAMUser/MaliciousIPCaller.Custom
 * Recon:IAMUser/TorIPCaller
 * Stealth:IAMUser/CloudTrailLoggingDisabled
 * Stealth:IAMUser/PasswordPolicyChange
 * UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B
 * UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS
 * UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS
 * UnauthorizedAccess:IAMUser/MaliciousIPCaller
 * UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom
 * UnauthorizedAccess:IAMUser/TorIPCaller





DID THIS PAGE HELP YOU? - NO



Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Feedback