Why did I receive the GuardDuty finding type alert UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration for my Amazon EC2 instance?

Last updated: 2020-09-30

Amazon GuardDuty detected alerts for the UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding type.

Short description

The GuardDuty finding type UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration indicates that AWS credentials that were created exclusively for an Amazon Elastic Compute Cloud (Amazon EC2) instance through an instance launch role are being used from an external IP address.


Follow the instructions to view and analyze your GuardDuty findings. Then, in the findings detail pane, note the external IP address and IAM user name.

The external IP address is safe

If the external IP address is owned by you or someone that you trust, you can auto-archive the findings with a suppression rule.

The external IP address is malicious

1.    If the external IP address is malicious, you can deny all permissions to the IAM user.

Note: Permissions for the IAM user are denied for all EC2 instances.

2.    Create an IAM policy with an explicit deny to block access to the EC2 instance for the IAM user similar to the following:

Note: Replace your-roleID and your-role-session-name with the Principal ID.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Deny",
      "Action": [
      "Resource": [
      "Condition": {
        "StringEquals": {
          "aws:userId": "your-roleId:your-role-session-name"

3.    Follow the instructions for remediating a compromised EC2 instance.

Note: As a security best practice, be sure to require the use of IMDSv2 on an existing instance.

Did this article help?

Do you need billing or technical support?