Why did I get GuardDuty UnauthorizedAccess brute force finding type alerts for my Amazon EC2 instance?

Last updated: 2020-08-11

Amazon GuardDuty detected alerts for the UnauthorizedAccess:EC2/RDPBruteForce or UnauthorizedAccess:EC2/SSHBruteForce finding types for my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

Brute force attacks can indicate unauthorized access to your AWS resources. For more information, see Finding types.

Resolution

Follow these instructions to check the GuardDuty finding type description, finding IDs, and detector IDs for more details about the brute force attack.  

Check the GuardDuty finding type description

Follow the instructions to view and analyze your GuardDuty findings.

In the finding details pane, note the title of the finding type similar to the following:

"198.51.100.0 is performing RDP brute force attacks against i-99999999. Brute force attacks are used to gain unauthorized access to your instance by guessing the RDP password."

In this example, the description indicates which Amazon EC2 instance is impacted, the direction of the brute force attack, and the IP address.

Check the GuardDuty finding IDs and detector IDs

Important: Before you begin, be sure that you have installed and configured the AWS Command Line Interface (AWS CLI).

1.    Open the GuardDuty console.

2.    In the navigation pane, choose Findings.

3.    In Finding type, choose the UnauthorizedAccess finding type.

4.    In the finding type details pane, choose the Finding ID.

5.    In Findings JSON, note the GuardDuty finding and detector IDs.

6.    Run this AWS CLI command:

Note: Replace your-detector-id and your-findings-id with your GuardDuty detector and finding IDs.

aws guardduty get-findings --detector-id your-detector-id --finding-ids your-findings-id --query 'Findings[].Service.Action.NetworkConnectionAction.ConnectionDirection'

You receive an output similar to the following:

[
    "INBOUND"
]

7.    Run this AWS CLI command:

aws guardduty get-findings --detector-id your-detector-id --finding-ids your-findings-id --query 'Findings[].Service.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4'

You receive an output similar to the following:

[
    "198.51.100.0"
]

In this example, the Amazon EC2 instance security group allows SSH/RDP traffic and is open to the public.

To mitigate the issue, you can restrict SSH/RDP traffic for only a set of IP addresses authorized to access the Amazon EC2 instance.

To restrict SSH traffic, see Adding a rule for inbound SSH traffic to a Linux instance.

To restrict RDP traffic, see Adding a rule for inbound RDP traffic to a Windows instance.

For more information, see Remediating a compromised EC2 instance.