Why did I receive the GuardDuty finding type alert UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS for my Amazon EC2 instance?

Short description

The GuardDuty finding type UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS indicates that an outside host tried to use temporary AWS credentials to run AWS API operations. The temporary AWS credentials were created on an Amazon Elastic Compute Cloud (Amazon EC2) instance in your AWS environment.

Resolution

Locate and analyze your GuardDuty finding. In the Details pane of the finding, note the external IP address and AWS Identity and Access Management (IAM) username.

The external IP address is safe

If you or someone that you trust owns the external IP address, then you can automatically archive the finding with a suppression rule.

The external IP address is malicious

To resolve this issue, complete the following steps:

1. Deny all permissions to the IAM user.
   Note: Permissions for the IAM user are denied for all EC2 instances.

2. Create an IAM policy with an explicit Deny that blocks access to the instance for the IAM user:
   Note: Replace your-roleID your role's ID and your-role-session-name with your role's session name.

     
   {  "Version": "2012-10-17",  
     "Statement": \[  
       {  
         "Effect": "Deny",  
         "Action": \[  
           "\*"  
         \],  
         "Resource": \[  
           "\*"  
         \],  
         "Condition": {  
           "StringEquals": {  
             "aws:userId": "your-roleId:your-role-session-name"  
           }  
         }  
       }  
     \]  
   }

3. Remediate a potentially compromised EC2 instance in your AWS environment.
   Note: As a security best practice, make sure that you use instance metadata service (IMDS) on your instances.