Why did I receive the GuardDuty finding type alert UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration for my Amazon EC2 instance?

Last updated: 2020-02-20

Amazon GuardDuty detected alerts for the UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding type.

Short Description

The GuardDuty finding type UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration indicates that AWS credentials that were created exclusively for an Amazon Elastic Compute Cloud (Amazon EC2) instance through an instance launch role are being used from an external IP address.

This finding type can also occur if:

  • The EC2 instance has a proxy configured with an Amazon Virtual Private Cloud (Amazon VPC) or local route table.
  • The EC2 instance route table has a NAT instance or NAT gateway.
  • The Amazon VPC for the EC2 instance uses a public IP address.

Resolution

1.    Follow the instructions to view and analyze your GuardDuty findings.

2.    In the findings detail pane, note the external IP address and IAM user name.

3.    If the external IP address is owned by you or someone that you trust, you can auto-archive the findings with a suppression rule.

4.    If the external IP address is malicious, you can deny all permissions to the IAM user.

Note: Permissions for the IAM user are denied for all EC2 instances.

5.    Create an IAM policy with explicit Deny to block access to the EC2 instance for the IAM user similar to the following:

Note: Replace your-roleID and your-role-session-name with the Principal ID.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:userId": "your-roleId:your-role-session-name"
        }
      }
    }
  ]
}

6.    Follow the instructions for remediating a compromised EC2 instance.

Note: As a security best practice, be sure to require the use of IMDSv2 on an existing instance.


Did this article help you?

Anything we could improve?


Need more help?