Why did I receive the GuardDuty finding type alert UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS for my Amazon EC2 instance?

Last updated: 2022-06-16

Amazon GuardDuty detected alerts for the UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS finding type.

Short description


Follow the instructions to view and analyze your GuardDuty findings. Then, in the findings detail pane, note the external IP address and IAM user name.

The external IP address is safe

If the external IP address is owned by you or someone that you trust, then you can auto-archive the findings with a suppression rule.

The external IP address is malicious

1. If the external IP address is malicious, then you can deny all permissions to the IAM user.

Note: Permissions for the IAM user are denied for all EC2 instances.

2. Create an IAM policy with an explicit deny to block access to the EC2 instance for the IAM user similar to the following:

Note: Replace your-roleID and your-role-session-name with the Principal ID.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Deny",
      "Action": [
      "Resource": [
      "Condition": {
        "StringEquals": {
          "aws:userId": "your-roleId:your-role-session-name"

3. Follow the instructions for remediating a compromised EC2 instance.

Note: As a security best practice, be sure to require the use of IMDSv2 on an existing instance.

Did this article help?

Do you need billing or technical support?