Findings by resource type Findings table

Finding types

For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document history for Amazon GuardDuty.

For information about retired finding types see Retired finding types.

Findings by resource type

The following pages are broken down by each resource type GuardDuty currently generates findings for. The pages contain detailed information on all finding types for that resources type.

Findings table

The following table lists all finding types by name, threat purpose, resource and severity. A severity listed with an asterisk (*) indicates the finding has variable severities depending the circumstances of the finding, which are described in the details for that finding. Choose the finding name to open more info about that finding.

FINDING TYPE	THREAT PURPOSE	RESOURCE	SEVERITY
Backdoor:EC2/C&CActivity.B	Backdoor	EC2	High
Backdoor:EC2/C&CActivity.B!DNS	Backdoor	EC2	High
Backdoor:EC2/DenialOfService.Dns	Backdoor	EC2	High
Backdoor:EC2/DenialOfService.Tcp	Backdoor	EC2	High
Backdoor:EC2/DenialOfService.Udp	Backdoor	EC2	High
Backdoor:EC2/DenialOfService.UdpOnTcpPorts	Backdoor	EC2	High
Backdoor:EC2/DenialOfService.UnusualProtocol	Backdoor	EC2	High
Backdoor:EC2/Spambot	Backdoor	EC2	Medium
Behavior:EC2/NetworkPortUnusual	Behavior	EC2	Medium
Behavior:EC2/TrafficVolumeUnusual	Behavior	EC2	Medium
CryptoCurrency:EC2/BitcoinTool.B	CryptoCurrency	EC2	High
CryptoCurrency:EC2/BitcoinTool.B!DNS	CryptoCurrency	EC2	High
Discovery:S3/BucketEnumeration.Unusual	Discovery	S3	Medium*
Discovery:S3/MaliciousIPCaller	Discovery	S3	High
Discovery:S3/MaliciousIPCaller.Custom	Discovery	S3	High
Discovery:S3/TorIPCaller	Discovery	S3	Medium
Exfiltration:S3/MaliciousIPCaller	Exfiltration	S3	High
Exfiltration:S3/ObjectRead.Unusual	Exfiltration	S3	Medium*
Impact:EC2/AbusedDomainRequest.Reputation	Impact	EC2	Medium
Impact:EC2/BitcoinDomainRequest.Reputation	Impact	EC2	High
Impact:EC2/MaliciousDomainRequest.Reputation	Impact	EC2	High
Impact:EC2/SuspiciousDomainRequest.Reputation	Impact	EC2	Low
Impact:EC2/WinRMBruteForce	Impact	EC2	Low*
Impact:S3/MaliciousIPCaller	Impact	S3	High
Impact:S3/ObjectDelete.Unusual	Impact	S3	Medium*
Impact:S3/PermissionsModification.Unusual	Impact	S3	Medium*
PenTest:IAMUser/KaliLinux	PenTest	IAM	Medium
PenTest:IAMUser/ParrotLinux	PenTest	IAM	Medium
PenTest:IAMUser/PentooLinux	PenTest	IAM	Medium
PenTest:S3/KaliLinux	PenTest	S3	Medium
PenTest:S3/ParrotLinux	PenTest	S3	Medium
PenTest:S3/PentooLinux	PenTest	S3	Medium
Persistence:IAMUser/NetworkPermissions	Persistence	IAM	Medium*
Persistence:IAMUser/ResourcePermissions	Persistence	IAM	Medium*
Persistence:IAMUser/UserPermissions	Persistence	IAM	Medium*
Policy:IAMUser/RootCredentialUsage	Policy	IAM	Low
Policy:S3/AccountBlockPublicAccessDisabled	Policy	S3	Low
Policy:S3/BucketAnonymousAccessGranted	Policy	S3	High
Policy:S3/BucketBlockPublicAccessDisabled	Policy	S3	Low
Policy:S3/BucketPublicAccessGranted	Policy	S3	High
PrivilegeEscalation:IAMUser/AdministrativePermissions	PrivilegeEscalation	IAM	Low*
Recon:EC2/PortProbeEMRUnprotectedPort	Recon	EC2	High
Recon:EC2/PortProbeUnprotectedPort	Recon	EC2	Low*
Recon:EC2/Portscan	Recon	EC2	Medium
Recon:IAMUser/MaliciousIPCaller	Recon	IAM	Medium
Recon:IAMUser/MaliciousIPCaller.Custom	Recon	IAM	Medium
Recon:IAMUser/NetworkPermissions	Recon	IAM	Medium*
Recon:IAMUser/ResourcePermissions	Recon	IAM	Medium*
Recon:IAMUser/TorIPCaller	Recon	IAM	Medium
Recon:IAMUser/UserPermissions	Recon	IAM	Medium*
ResourceConsumption:IAMUser/ComputeResources	ResourceConsumption	IAM	Medium*
Stealth:IAMUser/CloudTrailLoggingDisabled	Stealth	IAM	Low
Stealth:IAMUser/LoggingConfigurationModified	Stealth	IAM	Medium*
Stealth:IAMUser/PasswordPolicyChange	Stealth	IAM	Low
Stealth:S3/ServerAccessLoggingDisabled	Stealth	S3	Low
Trojan:EC2/BlackholeTraffic	Trojan	EC2	Medium
Trojan:EC2/BlackholeTraffic!DNS	Trojan	EC2	Medium
Trojan:EC2/DGADomainRequest.B	Trojan	EC2	High
Trojan:EC2/DGADomainRequest.C!DNS	Trojan	EC2	High
Trojan:EC2/DNSDataExfiltration	Trojan	EC2	High
Trojan:EC2/DriveBySourceTraffic!DNS	Trojan	EC2	Medium
Trojan:EC2/DropPoint	Trojan	EC2	Medium
Trojan:EC2/DropPoint!DNS	Trojan	EC2	Medium
Trojan:EC2/PhishingDomainRequest!DNS	Trojan	EC2	High
UnauthorizedAccess:EC2/MaliciousIPCaller.Custom	UnauthorizedAccess	EC2	Medium
UnauthorizedAccess:EC2/MetadataDNSRebind	UnauthorizedAccess	EC2	High
UnauthorizedAccess:EC2/RDPBruteForce	UnauthorizedAccess	EC2	Low*
UnauthorizedAccess:EC2/SSHBruteForce	UnauthorizedAccess	EC2	Low*
UnauthorizedAccess:EC2/TorClient	UnauthorizedAccess	EC2	High
UnauthorizedAccess:EC2/TorRelay	UnauthorizedAccess	EC2	High
UnauthorizedAccess:IAMUser/ConsoleLogin	UnauthorizedAccess	IAM	Medium*
UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B	UnauthorizedAccess	IAM	Medium
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration	UnauthorizedAccess	IAM	High
UnauthorizedAccess:IAMUser/MaliciousIPCaller	UnauthorizedAccess	IAM	Medium
UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom	UnauthorizedAccess	IAM	Medium
UnauthorizedAccess:IAMUser/TorIPCaller	UnauthorizedAccess	IAM	Medium
UnauthorizedAccess:S3/MaliciousIPCaller.Custom	UnauthorizedAccess	S3	High
UnauthorizedAccess:S3/TorIPCaller	UnauthorizedAccess	S3	High
Impact:EC2/PortSweep	Impact	EC2	High

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Sample findings

EC2 finding types