Why did I receive an Amazon GuardDuty finding type UnauthorizedAccess:IAMUser/TorIPCaller or Recon:IAMUser/TorIPCaller alerts for my IAM user or role?
Last updated: 2020-02-19
The UnauthorizedAccess:IAMUser/TorIPCaller and Recon:IAMUser/TorIPCaller finding types indicate that your AWS Identity and Access Management (IAM) identity credentials or access keys were used to make an API operation to AWS from a Tor exit node IP address. For example, you can get this error when trying to create an EC2 instance, list access key IDs, or modify IAM permissions. These finding types can also indicate that IAM identity credentials or access keys are compromised. For more information, see An API was invoked from a Tor exit node IP address.
Use GuardDuty to locate the IAM access key, and AWS CloudTrail to identify the AWS API activity.
- Follow the instructions to view and analyze your GuardDuty findings.
- In the findings detail pane, note the IAM access key ID.
- Follow the instructions to search for IAM access key API activity using CloudTrail.
- Follow the instructions for remediating compromised AWS credentials.
- If you confirm that the activity is not a legitimate use of AWS credentials, see My AWS account might be compromised.