docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.89
Public Scan
URL:
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html
Submission: On April 17 via api from US — Scanned from DE
Submission: On April 17 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
SELECT YOUR COOKIE PREFERENCES We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can click “Customize cookies” to decline performance cookies. If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To continue without accepting these cookies, click “Continue without accepting.” To make more detailed choices or learn more, click “Customize cookies.” Accept all cookiesContinue without acceptingCustomize cookies CUSTOMIZE COOKIE PREFERENCES We use cookies and similar tools (collectively, "cookies") for the following purposes. ESSENTIAL Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms. PERFORMANCE Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes. Allow performance category Allowed FUNCTIONAL Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly. Allow functional category Allowed ADVERTISING Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising. Allow advertising category Allowed Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by clicking Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice . CancelSave preferences UNABLE TO SAVE COOKIE PREFERENCES We will only store essential cookies at this time, because we were unable to save your cookie preferences. If you want to change your cookie preferences, try again later using the link in the AWS console footer, or contact support if the problem persists. Dismiss Contact Us English Create an AWS Account 1. AWS 2. ... 3. Documentation 4. Amazon GuardDuty 5. Amazon GuardDuty User Guide Feedback Preferences AMAZON GUARDDUTY AMAZON GUARDDUTY USER GUIDE * What is GuardDuty? * Getting started * Concepts and terminology * GuardDuty features activation * GuardDuty API changes * Foundational data sources * GuardDuty EKS Protection * Features in EKS Protection * EKS Audit Log Monitoring * EKS Runtime Monitoring * Configuring EKS Runtime Monitoring * Managing GuardDuty agent manually * Coverage * Runtime event types * EKS add-on agent release history * GuardDuty Malware Protection * Features * Customizations in Malware Protection * GuardDuty findings that initiate Malware Protection scans * Monitoring malware scan statuses and results * Malware Protection quotas * GuardDuty RDS Protection * Features * GuardDuty S3 Protection * Features * Understanding findings * Finding details * GuardDuty finding format * Sample findings * Finding types * EC2 finding types * IAM finding types * Kubernetes audit logs finding types * EKS Runtime Monitoring finding types * Malware Protection finding types * RDS Protection finding types * S3 finding types * Retired finding types * Managing findings * Filtering findings * Suppression rules * Trusted and threat IP lists * Exporting findings * Automating responses with CloudWatch Events * Understanding CloudWatch Logs and reasons for skipping resources * Reporting false positives in Malware Protection * Remediating findings * Remediating EKS Audit Log Monitoring findings * Remediating EKS Runtime Monitoring findings * Remediating a compromised database * Managing multiple accounts * Managing accounts with AWS Organizations * Managing accounts by invitation * Estimating cost * Security * Data protection * Encryption at rest * Encryption in transit * Opting out of using your data for service improvement * Logging with CloudTrail * Example: GuardDuty log file entries * Identity and Access Management * How AWS GuardDuty works with IAM * Identity-based policy examples * Using service-linked roles * Service-linked role permissions for GuardDuty * Service-linked role permissions for GuardDuty Malware Protection * Troubleshooting * AWS managed policies * Compliance validation * Resilience * Infrastructure security * GuardDuty integrations * Security Hub integration * Detective integration * Suspending or disabling * GuardDuty announcements * Quotas * Troubleshooting * Regions and endpoints * Document history * AWS glossary GuardDuty IAM finding types - Amazon GuardDuty AWSDocumentationAmazon GuardDutyAmazon GuardDuty User Guide CredentialAccess:IAMUser/AnomalousBehaviorDefenseEvasion:IAMUser/AnomalousBehaviorDiscovery:IAMUser/AnomalousBehaviorExfiltration:IAMUser/AnomalousBehaviorImpact:IAMUser/AnomalousBehaviorInitialAccess:IAMUser/AnomalousBehaviorPenTest:IAMUser/KaliLinuxPenTest:IAMUser/ParrotLinuxPenTest:IAMUser/PentooLinuxPersistence:IAMUser/AnomalousBehaviorPolicy:IAMUser/RootCredentialUsagePrivilegeEscalation:IAMUser/AnomalousBehaviorRecon:IAMUser/MaliciousIPCallerRecon:IAMUser/MaliciousIPCaller.CustomRecon:IAMUser/TorIPCallerStealth:IAMUser/CloudTrailLoggingDisabledStealth:IAMUser/PasswordPolicyChangeUnauthorizedAccess:IAMUser/ConsoleLoginSuccess.BUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWSUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWSUnauthorizedAccess:IAMUser/MaliciousIPCallerUnauthorizedAccess:IAMUser/MaliciousIPCaller.CustomUnauthorizedAccess:IAMUser/TorIPCaller GUARDDUTY IAM FINDING TYPES PDFRSS The following findings are specific to IAM entities and access keys and always have a Resource Type of AccessKey. The severity and details of the findings differ based on the finding type. The findings listed here include the data sources and models used to generate that finding type. For more information, see Foundational data sources. For all IAM-related findings, we recommend that you examine the entity in question and ensure that their permissions follow the best practice of least privilege. If the activity is unexpected, the credentials may be compromised. For information about remediating findings, see Remediating compromised AWS credentials. TOPICS * CredentialAccess:IAMUser/AnomalousBehavior * DefenseEvasion:IAMUser/AnomalousBehavior * Discovery:IAMUser/AnomalousBehavior * Exfiltration:IAMUser/AnomalousBehavior * Impact:IAMUser/AnomalousBehavior * InitialAccess:IAMUser/AnomalousBehavior * PenTest:IAMUser/KaliLinux * PenTest:IAMUser/ParrotLinux * PenTest:IAMUser/PentooLinux * Persistence:IAMUser/AnomalousBehavior * Policy:IAMUser/RootCredentialUsage * PrivilegeEscalation:IAMUser/AnomalousBehavior * Recon:IAMUser/MaliciousIPCaller * Recon:IAMUser/MaliciousIPCaller.Custom * Recon:IAMUser/TorIPCaller * Stealth:IAMUser/CloudTrailLoggingDisabled * Stealth:IAMUser/PasswordPolicyChange * UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B * UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS * UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS * UnauthorizedAccess:IAMUser/MaliciousIPCaller * UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom * UnauthorizedAccess:IAMUser/TorIPCaller CREDENTIALACCESS:IAMUSER/ANOMALOUSBEHAVIOR AN API USED TO GAIN ACCESS TO AN AWS ENVIRONMENT WAS INVOKED IN AN ANOMALOUS WAY. Default severity: Medium * Data source: CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with the credential access stage of an attack when an adversary is attempting to collect passwords, usernames, and access keys for your environment. The APIs in this category are GetPasswordData, GetSecretValue, and GenerateDbAuthToken. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. DEFENSEEVASION:IAMUSER/ANOMALOUSBEHAVIOR AN API USED TO EVADE DEFENSIVE MEASURES WAS INVOKED IN AN ANOMALOUS WAY. Default severity: Medium * Data source: CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with defense evasion tactics where an adversary is trying to cover their tracks and avoid detection. APIs in this category are typically delete, disable, or stop operations, such as, DeleteFlowLogs, DisableAlarmActions, or StopLogging. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. DISCOVERY:IAMUSER/ANOMALOUSBEHAVIOR AN API COMMONLY USED TO DISCOVER RESOURCES WAS INVOKED IN AN ANOMALOUS WAY. Default severity: Low * Data source: CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with the discovery stage of an attack when an adversary is gathering information to determine if your AWS environment is susceptible to a broader attack. APIs in this category are typically get, describe, or list operations, such as, DescribeInstances, GetRolePolicy, or ListAccessKeys. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. EXFILTRATION:IAMUSER/ANOMALOUSBEHAVIOR AN API COMMONLY USED TO COLLECT DATA FROM AN AWS ENVIRONMENT WAS INVOKED IN AN ANOMALOUS WAY. Default severity: High * Data source: CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with exfiltration tactics where an adversary is trying to collect data from your network using packaging and encryption to avoid detection. APIs for this finding type are management (control-plane) operations only and are typically related to S3, snapshots, and databases, such as, PutBucketReplication, CreateSnapshot, or RestoreDBInstanceFromDBSnapshot. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. IMPACT:IAMUSER/ANOMALOUSBEHAVIOR AN API COMMONLY USED TO TAMPER WITH DATA OR PROCESSES IN AN AWS ENVIRONMENT WAS INVOKED IN AN ANOMALOUS WAY. Default severity: High * Data source: CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with impact tactics where an adversary is trying to disrupt operations and manipulate, interrupt, or destroy data in your account. APIs for this finding type are typically delete, update, or put operations, such as, DeleteSecurityGroup, UpdateUser, or PutBucketPolicy. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. INITIALACCESS:IAMUSER/ANOMALOUSBEHAVIOR AN API COMMONLY USED TO GAIN UNAUTHORIZED ACCESS TO AN AWS ENVIRONMENT WAS INVOKED IN AN ANOMALOUS WAY. Default severity: Medium * Data source: CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with the initial access stage of an attack when an adversary is attempting to establish access to your environment. APIs in this category are typically get token, or session operations, such as, GetFederationToken, StartSession, or GetAuthorizationToken. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. PENTEST:IAMUSER/KALILINUX AN API WAS INVOKED FROM A KALI LINUX EC2 MACHINE. Default severity: Medium * Data source: CloudTrail management event This finding informs you that a machine running Kali Linux is making API calls using credentials that belong to the listed AWS account in your environment. Kali Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. PENTEST:IAMUSER/PARROTLINUX AN API WAS INVOKED FROM A PARROT SECURITY LINUX MACHINE. Default severity: Medium * Data source: CloudTrail management event This finding informs you that a machine running Parrot Security Linux is making API calls using credentials that belong to the listed AWS account in your environment. Parrot Security Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. PENTEST:IAMUSER/PENTOOLINUX AN API WAS INVOKED FROM A PENTOO LINUX MACHINE. Default severity: Medium * Data source: CloudTrail management event This finding informs you that a machine running Pentoo Linux is making API calls using credentials that belong to the listed AWS account in your environment. Pentoo Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. PERSISTENCE:IAMUSER/ANOMALOUSBEHAVIOR AN API COMMONLY USED TO MAINTAIN UNAUTHORIZED ACCESS TO AN AWS ENVIRONMENT WAS INVOKED IN AN ANOMALOUS WAY. Default severity: Medium * Data source: CloudTrail management event This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with persistence tactics where an adversary has gained access to your environment and is attempting to maintain that access. APIs in this category are typically create, import, or modify operations, such as, CreateAccessKey, ImportKeyPair, or ModifyInstanceAttribute. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. POLICY:IAMUSER/ROOTCREDENTIALUSAGE AN API WAS INVOKED USING ROOT USER SIGN-IN CREDENTIALS. Default severity: Low * Data source: CloudTrail management events or CloudTrail data events This finding informs you that the root user sign-in credentials of the listed AWS account in your environment are being used to make requests to AWS services. It is recommended that users never use root user sign-in credentials to access AWS services. Instead, AWS services should be accessed using least privilege temporary credentials from AWS Security Token Service (STS). For situations where AWS STS is not supported, IAM user credentials are recommended. For more information, see IAM Best Practices. NOTE If S3 threat detection is enabled for the account this finding may be generated in response to attempts to run S3 data plane operations on S3 resources using the root user sign-in credentials of the AWS account. The API call used will be listed in the finding details. If S3 threat detection is not enabled this finding can only be triggered by Event log APIs. For more information about S3 threat detection, see S3 protection. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. PRIVILEGEESCALATION:IAMUSER/ANOMALOUSBEHAVIOR AN API COMMONLY USED TO OBTAIN HIGH-LEVEL PERMISSIONS TO AN AWS ENVIRONMENT WAS INVOKED IN AN ANOMALOUS WAY. Default severity: Medium * Data source: CloudTrail management events This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with privilege escalation tactics where an adversary is attempting to gain higher-level permissions to an environment. APIs in this category typically involve operations that change IAM policies, roles, and users, such as, AssociateIamInstanceProfile, AddUserToGroup, or PutUserPolicy. This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. RECON:IAMUSER/MALICIOUSIPCALLER AN API WAS INVOKED FROM A KNOWN MALICIOUS IP ADDRESS. Default severity: Medium * Data source: CloudTrail management events This finding informs you that an API operation that can list or describe AWS resources in an account within your environment was invoked from an IP address that is included on a threat list. An attacker may use stolen credentials to perform this type of reconnaissance of your AWS resources in order to find more valuable credentials or determine the capabilities of the credentials they already have. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. RECON:IAMUSER/MALICIOUSIPCALLER.CUSTOM AN API WAS INVOKED FROM A KNOWN MALICIOUS IP ADDRESS. Default severity: Medium * Data source: CloudTrail management events This finding informs you that an API operation that can list or describe AWS resources in an account within your environment was invoked from an IP address that is included on a custom threat list. The threat list used will be listed in the finding's details. An attacker might use stolen credentials to perform this type of reconnaissance of your AWS resources in order to find more valuable credentials or determine the capabilities of the credentials they already have. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. RECON:IAMUSER/TORIPCALLER AN API WAS INVOKED FROM A TOR EXIT NODE IP ADDRESS. Default severity: Medium * Data source: CloudTrail management events This finding informs you that an API operation that can list or describe AWS resources in an account within your environment was invoked from a Tor exit node IP address. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. An attacker would use Tor to mask their true identity. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. STEALTH:IAMUSER/CLOUDTRAILLOGGINGDISABLED AWS CLOUDTRAIL LOGGING WAS DISABLED. Default severity: Low * Data source: CloudTrail management events This finding informs you that a CloudTrail trail within your AWS environment was disabled. This can be an attacker's attempt to disable logging to cover their tracks by eliminating any trace of their activity while gaining access to your AWS resources for malicious purposes. This finding can be triggered by a successful deletion or update of a trail. This finding can also be triggered by a successful deletion of an S3 bucket that stores the logs from a trail that is associated with GuardDuty. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. STEALTH:IAMUSER/PASSWORDPOLICYCHANGE ACCOUNT PASSWORD POLICY WAS WEAKENED. Default severity: Low* NOTE This finding's severity can be Low, Medium, or High depending on the severity of the changes made to password policy. * Data source: CloudTrail management events The AWS account password policy was weakened on the listed account within your AWS environment. For example, it was deleted or updated to require fewer characters, not require symbols and numbers, or required to extend the password expiration period. This finding can also be triggered by an attempt to update or delete your AWS account password policy. The AWS account password policy defines the rules that govern what kinds of passwords can be set for your IAM users. A weaker password policy permits the creation of passwords that are easy to remember and potentially easier to guess, thereby creating a security risk. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. UNAUTHORIZEDACCESS:IAMUSER/CONSOLELOGINSUCCESS.B MULTIPLE WORLDWIDE SUCCESSFUL CONSOLE LOGINS WERE OBSERVED. Default severity: Medium * Data source: CloudTrail management events This finding informs you that multiple successful console logins for the same IAM user were observed around the same time in various geographical locations. Such anomalous and risky access location patterns indicate potential unauthorized access to your AWS resources. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. UNAUTHORIZEDACCESS:IAMUSER/INSTANCECREDENTIALEXFILTRATION.INSIDEAWS CREDENTIALS THAT WERE CREATED EXCLUSIVELY FOR AN EC2 INSTANCE THROUGH AN INSTANCE LAUNCH ROLE ARE BEING USED FROM ANOTHER ACCOUNT WITHIN AWS. Default severity: High* NOTE This finding's default severity is High. However, if the API was invoked by an account affiliated with your AWS environment, the severity is Medium. * Data source: CloudTrail management events or S3 data events This finding informs you when your EC2 instance credentials are used to invoke APIs from an IP address that is owned by a different AWS account than the one that the associated EC2 instance is running in. AWS does not recommend redistributing temporary credentials outside of the entity that created them (for example, AWS applications, EC2, or Lambda). However, authorized users can export credentials from their EC2 instances to make legitimate API calls. If the remoteAccountDetails.Affiliated field is True the API was invoked from an account associated with your AWS environment. To rule out a potential attack and verify the legitimacy of the activity, contact the IAM user to whom these credentials are assigned. Remediation recommendations: In response to this finding you can use the following workflow to determine a course of action: 1. Identify the remote account involved from the service.action.awsApiCallAction.remoteAccountDetails.accountId field. 2. Next determine if that account is affiliated with your GuardDuty environment from the service.action.awsApiCallAction.remoteAccountDetails.affiliated field. 3. If the account is affiliated, contact the remote account owner, and the owner of the EC2 instance credentials to investigate. 4. If the account is not affiliated, first evaluate is that account is associated with your organization but is not a part of your GuardDuty multi-account set up, or if GuardDuty has not yet been enabled in the account. Otherwise contact the owner of the EC2 credentials to determine if there is a use case for a remote account to use these credentials. 5. If the owner of the credentials does not recognize the remote account the credentials may have been compromised by a threat actor operating within AWS. You should take the steps recommended in Remediating a compromised EC2 instance to secure your environment. Additionally you can submit an abuse report to the AWS Trust and Safety team to begin an investigation into the remote account. When submitting your report to AWS Trust and Safety please include the full JSON details of the finding. UNAUTHORIZEDACCESS:IAMUSER/INSTANCECREDENTIALEXFILTRATION.OUTSIDEAWS CREDENTIALS THAT WERE CREATED EXCLUSIVELY FOR AN EC2 INSTANCE THROUGH AN INSTANCE LAUNCH ROLE ARE BEING USED FROM AN EXTERNAL IP ADDRESS. Default severity: High * Data source: CloudTrail management events or S3 data events This finding informs you that a host outside of AWS has attempted to run AWS API operations using temporary AWS credentials that were created on an EC2 instance in your AWS environment. The listed EC2 instance might be compromised, and the temporary credentials from this instance might have been exfiltrated to a remote host outside of AWS. AWS does not recommend redistributing temporary credentials outside of the entity that created them (for example, AWS applications, EC2, or Lambda). However, authorized users can export credentials from their EC2 instances to make legitimate API calls. To rule out a potential attack and verify the legitimacy of the activity, validate if the use of instance credentials from the remote IP in the finding is expected. Remediation recommendations: This finding is generated when networking is configured to route internet traffic such that it egresses from an on-premises gateway rather than from a VPC Internet Gateway (IGW). Common configurations, such as using AWS Outposts, or VPC VPN connections, can result in traffic routed this way. If this is expected behavior, we recommend that you use suppression rules and create a rule that consists of two filter criteria. The first criteria is finding type, which should be UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS. The second filter criteria is API caller IPv4 Address with the IP address or CIDR range of your on-premises internet gateway. To learn more about creating suppression rules see Suppression rules. NOTE If GuardDuty observes continued activity from an external source its machine learning model will identify this as expected behavior and stop generating this finding for activity from that source. GuardDuty will continue to generate findings for new behavior from other sources, and will reevaluate learned sources as behavior changes over time. If this activity is unexpected your credentials may be compromised, see Remediating compromised AWS credentials. UNAUTHORIZEDACCESS:IAMUSER/MALICIOUSIPCALLER AN API WAS INVOKED FROM A KNOWN MALICIOUS IP ADDRESS. Default severity: Medium * Data source: CloudTrail management events This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, or modify your AWS privileges) was invoked from a known malicious IP address. This can indicate unauthorized access to AWS resources within your environment. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. UNAUTHORIZEDACCESS:IAMUSER/MALICIOUSIPCALLER.CUSTOM AN API WAS INVOKED FROM AN IP ADDRESS ON A CUSTOM THREAT LIST. Default severity: Medium * Data source: CloudTrail management events This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, or modify AWS privileges) was invoked from an IP address that is included on a threat list that you uploaded. In , a threat list consists of known malicious IP addresses. This can indicate unauthorized access to AWS resources within your environment. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. UNAUTHORIZEDACCESS:IAMUSER/TORIPCALLER AN API WAS INVOKED FROM A TOR EXIT NODE IP ADDRESS. Default severity: Medium * Data source: CloudTrail management events This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, or modify your AWS privileges) was invoked from a Tor exit node IP address. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your AWS resources with the intent of hiding the attacker's true identity. Remediation recommendations: If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised AWS credentials. Javascript is disabled or is unavailable in your browser. To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. Document Conventions EC2 finding types Kubernetes audit logs finding types Did this page help you? - Yes Thanks for letting us know we're doing a good job! If you've got a moment, please tell us what we did right so we can do more of it. Did this page help you? - No Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. Did this page help you? Yes No Provide feedback Edit this page on GitHub Next topic:Kubernetes audit logs finding types Previous topic:EC2 finding types Need help? * Connect with an AWS IQ expert PrivacySite termsCookie preferences © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. ON THIS PAGE -------------------------------------------------------------------------------- * CredentialAccess:IAMUser/AnomalousBehavior * DefenseEvasion:IAMUser/AnomalousBehavior * Discovery:IAMUser/AnomalousBehavior * Exfiltration:IAMUser/AnomalousBehavior * Impact:IAMUser/AnomalousBehavior * InitialAccess:IAMUser/AnomalousBehavior * PenTest:IAMUser/KaliLinux * PenTest:IAMUser/ParrotLinux * PenTest:IAMUser/PentooLinux * Persistence:IAMUser/AnomalousBehavior * Policy:IAMUser/RootCredentialUsage * PrivilegeEscalation:IAMUser/AnomalousBehavior * Recon:IAMUser/MaliciousIPCaller * Recon:IAMUser/MaliciousIPCaller.Custom * Recon:IAMUser/TorIPCaller * Stealth:IAMUser/CloudTrailLoggingDisabled * Stealth:IAMUser/PasswordPolicyChange * UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B * UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS * UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS * UnauthorizedAccess:IAMUser/MaliciousIPCaller * UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom * UnauthorizedAccess:IAMUser/TorIPCaller DID THIS PAGE HELP YOU? - NO Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. Feedback