Menu
Amazon GuardDuty
Amazon Guard Duty User Guide

Remediating Security Issues Discovered by Amazon GuardDuty

Amazon GuardDuty generates findings that indicate potential security issues. In this release of GuardDuty, the potential security issues indicate either a compromised EC2 instance or a set of compromised credentials in your AWS environment. The following sections describe the recommended remediation steps for either scenario.

Remediating a Compromised EC2 Instance

Follow these recommended steps to remediate a compromised EC2 instance in your AWS environment:

Remediating Compromised AWS Credentials

Follow these recommended steps to remediate compromised credentials in your AWS environment:

  • Identify the owner of the credentials.

    If a GuardDuty finding informs you of a potential compromise to AWS credentials, you can locate the affected IAM user by their access keys or user name.

    Note

    Users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users. For more information, see Managing Access Keys for IAM Users.

    To find the access key ID or user name that belongs to a potentially compromised IAM user, open the console and view the details pane of the finding that you're analyzing. For more information, see Working with GuardDuty Findings. After you have the access key ID or user name, open the IAM console, choose the Users tab, and locate the affected user by typing the access key ID or user name in the Find users by username or access key search field.

  • Determine whether the credentials were used by the IAM user legitimately.

    Contact the IAM user that you've located, and verify whether the user legitimately used the access key and user name that is identified in the GuardDuty finding. For example, find out if the user did the following:

    • Invoked the API operation that was listed in the GuardDuty finding

    • Invoked the API operation at the time that is listed in the GuardDuty finding

    • Invoked the API operation from the IP address that is listed in the GuardDuty finding

If you confirm that the activity is a legitimate use of the AWS credentials, you can ignore the GuardDuty finding. If not, this activity is likely the result of a compromise to that particular access key, the IAM user's user ID and password, or possibly the entire AWS account. You can then use the information in the My AWS account may be compromised article to remediate the issue.