Amazon GuardDuty
Amazon Guard Duty User Guide

Unauthorized Finding Types

This section covers the active Unauthorized threat purpose finding types. For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document History for Amazon GuardDuty.

Important

The default severity value of a finding type is subject to change based on various criteria when the finding is generated.

UnauthorizedAccess:EC2/MetadataDNSRebind

Finding description

An Amazon EC2 instance is performing DNS lookups that resolve to the instance metadata service.

This finding informs you that an EC2 instance in your AWS environment is querying a domain that resolves to the EC2 metadata IP address (169.254.169.254). A DNS query of this kind may indicate that the instance is a target of a DNS Rebinding technique which can be used to obtain metadata from an EC2 instance, including the IAM credentials associated with the instance.

DNS Rebinding involves tricking an application running on the EC2 instance to load a return data from a URL, where the domain name in the URL resolves to the EC2 metadata IP address (169.254.169.254). This causes the application to access EC2 metadata and possibly make it available to the attacker.

It is possible to access EC2 metadata using DNS Rebinding only if the EC2 instance is running a vulnerable application that allows injection of URLs, or if a human user accesses the URL in a web browser running on the EC2 instance.

In response to this finding, you should evaluate whether there is a vulnerable application running on the EC2 instance, or a human user used a browser to access the domain identified in the finding. If the root cause is a vulnerable application, you should fix the vulnerability. If it was due to a user browsing the identified domain, you should block the domain or prevent users from accessing it. If you determine this was related to either case above you should revoke the session associated with the EC2 instance.

Some AWS customers intentionally map the metadata IP address to a domain name on their authoritative DNS servers. Such customers can implement an archive filter to auto-archive all findings which have the type of UnauthorizedAccess:EC2/MetaDataDNSRebind and the service.action.dnsRequestAction.domain field is same as the domain name they have mapped to the metadata IP address (169.254.169.254). To learn more, see CreateFilter.

Default severity: High

UnauthorizedAccess:IAMUser/TorIPCaller

Finding description

An API was invoked from a Tor exit node IP address.

This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, or modify your AWS privileges) was invoked from a Tor exit node IP address. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your AWS resources with the intent of hiding the attacker’s true identity. For more information, see Remediating Compromised AWS Credentials.

Default severity: Medium

UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom

Finding description

An API was invoked from an IP address on a custom threat list.

This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, modify your AWS privileges, and so on) was invoked from an IP address that is included on a threat list that you uploaded. In GuardDuty, a threat list consists of known malicious IP addresses. GuardDuty generates findings based on uploaded threat lists. This can indicate unauthorized access to your AWS resources with the intent of hiding the attacker’s true identity. For more information, see Remediating Compromised AWS Credentials.

Default severity: Medium

UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B

Finding description

Multiple worldwide successful console logins were observed.

This finding informs you that multiple successful console logins for the same IAM user were observed around the same time in various geographical locations. Such anomalous and risky access location pattern indicates potential unauthorized access to your AWS resources. For more information, see Remediating Compromised AWS Credentials.

Note

This finding is only triggered by the activity of the following IAM identities: root, IAM users, and federated users. This finding is NOT triggered by the activity of an assumed role. For more information about IAM identities, see CloudTrail userIdentity Element.

Default severity: Medium

UnauthorizedAccess:IAMUser/MaliciousIPCaller

Finding description

An API was invoked from a known malicious IP address.

This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, modify your AWS privileges, and so on) was invoked from a known malicious IP address. This can indicate unauthorized access to your AWS resources. For more information, see Remediating Compromised AWS Credentials.

Default severity: Medium

UnauthorizedAccess:EC2/TorIPCaller

Finding description

EC2 instance is receiving inbound connections from a Tor exit node.

This finding informs you that an EC2 instance in your AWS environment is receiving inbound connections from a Tor exit node. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. This can indicate unauthorized access to your AWS resources with the intent of hiding the attacker’s true identity. For more information, see Remediating a Compromised EC2 Instance.

Default severity: Medium

UnauthorizedAccess:EC2/MaliciousIPCaller.Custom

Finding description

EC2 instance is communicating outbound with an IP address on a custom threat list.

This finding informs you that an EC2 instance in your AWS environment is communicating outbound with an IP address included on a threat list that you uploaded. In GuardDuty, a threat list consists of known malicious IP addresses. GuardDuty generates findings based on uploaded threat lists. This can indicate unauthorized access to your AWS resources. For more information, see Remediating a Compromised EC2 Instance.

Default severity: Medium

UnauthorizedAccess:EC2/SSHBruteForce

Finding description

EC2 instance has been involved in SSH brute force attacks.

This finding informs you that an EC2 instance in your AWS environment was involved in a brute force attack aimed at obtaining passwords to SSH services on Linux-based systems. This can indicate unauthorized access to your AWS resources.

This finding’s severity is low if a brute force attack is aimed at one of your EC2 instances. This finding’s severity is high if your EC2 instance is being used to perform the brute force attack.

Note

This finding is generated only through GuardDuty monitoring traffic on port 22. If your SSH services are configured to use other ports, this finding is not generated.

For more information, see Remediating a Compromised EC2 Instance.

Default severity: Low

UnauthorizedAccess:EC2/RDPBruteForce

Finding description

EC2 instance has been involved in RDP brute force attacks.

This finding informs you that an EC2 instance in your AWS environment was involved in a brute force attack aimed at obtaining passwords to RDP services on Windows-based systems. This can indicate unauthorized access to your AWS resources.

This finding’s severity is low if a brute force attack is aimed at one of your EC2 instances. This finding’s severity is high if your EC2 instance is being used to perform the brute force attack.

For more information, see Remediating a Compromised EC2 Instance.

Default severity: Low

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration

Finding description

Credentials that were created exclusively for an EC2 instance through an instance launch role are being used from an external IP address.

This finding informs you of attempts to run AWS API operations from a host outside of EC2, using temporary AWS credentials that were created on an EC2 instance in your AWS account. Your EC2 instance might be compromised, and the temporary credentials from this instance might have been exfiltrated to a remote host outside of AWS. AWS does not recommend redistributing temporary credentials outside of the entity that created them (for example, AWS applications, EC2, or Lambda). However, authorized users can export credentials from their EC2 instances to make legitimate API calls. To rule out a potential attack and verify the legitimacy of the activity, contact the IAM user to whom these credentials are assigned. For more information, see Remediating Compromised AWS Credentials.

This finding is generated when Amazon VPC networking is configured to route Internet traffic such that it egresses from an on-premise gateway rather than from a VPC Internet Gateway (IGW). Common configurations, such as using AWS Direct Connect, or VPC VPN connections, can result in traffic routed this way. To suppress this expected behavior, it's recommended that you use the auto-archiving feature in GuardDuty and create a rule that consists of two filter criteria. The first criteria is “finding type”, which should be UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. The second filter criteria is either the IP address or the ASN of your on-premise internet gateway. For IP-based filters, use the “API caller IPv4 Address” criteria. For ASN based filters, use either the “API caller ASN name” or “API caller ASN ID”. GuardDuty still generates findings that match an auto-archiving filter rule. However, the rule causes these findings to go directly to the findings archive and not trigger an event for a CloudWatch Events rule or be sent to any other downstream integrations. To learn more, see Filtering and Auto-Archiving Findings.

Default severity: High

UnauthorizedAccess:IAMUser/ConsoleLogin

Finding description

An unusual console login by a principal in your AWS account was observed.

This finding informs you that a specific principal in your AWS environment is exhibiting behavior that is different from the established baseline. This principal has no prior history of login activity using this client application from this specific location. Your credentials might be compromised. For more information, see Remediating Compromised AWS Credentials.

This finding is triggered when a console login is detected under suspicious circumstances. For example, if a principal with no prior history of doing so, invoked the ConsoleLogin API from a never-before-used client or an unusual location. This could be an indication of stolen credentials being used to gain access to your AWS account, or a valid user accessing the account in an invalid or less secure manner (for example, not over an approved VPN).

Note

Unlike UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B, this finding can be triggered by any user type.

Default severity: Medium

This finding’s default severity is Medium. However, if a principal logs in to the console using temporary AWS credentials that are created on an Amazon EC2 instance, the finding’s severity is High.

UnauthorizedAccess:EC2/TorClient

Finding description

EC2 instance is making connections to a Tor Guard or an Authority node.

This finding informs you that an EC2 instance in your AWS environment is making connections to a Tor Guard or an Authority node. Tor is software for enabling anonymous communication. Tor Guards and Authority nodes act as initial gateways into a Tor network. This traffic can indicate that this EC2 instance is acting as a client on a Tor network. A common use for a Tor client is to circumvent network monitoring and filter for access to unauthorized or illicit content. Tor clients can also generate nefarious Internet traffic, including attacking SSH servers. This activity can indicate that your EC2 instance is compromised. For more information, see Remediating a Compromised EC2 Instance.

Default severity: High

UnauthorizedAccess:EC2/TorRelay

Finding description

EC2 instance is making connections to a Tor network as a Tor relay.

This finding informs you that an EC2 instance in your AWS environment is making connections to a Tor network in a manner that suggests that it's acting as a Tor relay. Tor is software for enabling anonymous communication. Tor relays increase anonymity of the communication by forwarding the client’s possibly illicit traffic from one Tor relay to another. If this activity is unexpected, your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance.

Default severity: High