Posted On: Jan 20, 2022

Amazon GuardDuty introduces a new threat detection that informs you when your EC2 instance credentials are used to invoke APIs from an IP address that is owned by a different AWS account than the one that the associated EC2 instance is running in. The new finding type is: UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS. While Amazon GuardDuty has always informed you when your EC2 instance credentials were used from outside of AWS, this new threat detection limits a malicious actor’s ability to evade detection by using the EC2 instance credentials from another AWS account.

If you are an existing Amazon GuardDuty customer then you don’t need to take any action to start using this new threat detection capability to monitor your control plane operations as captured in AWS CloudTrail. If you are also a GuardDuty S3 Protection customer then this new threat detection will further inform you when EC2 instance credentials are used from another AWS account to invoke S3 data plane operations (e.g. LISTs/PUTs/GETs). S3 protection is on by default when you enable GuardDuty for the first time. If you are already using GuardDuty to protect your accounts and workloads, and are yet to enable this capability, you can enable S3 protection via the GuardDuty console or API.

EC2 instance credentials are the temporary credentials made available through the EC2 metadata service to any applications running on an instance, when an AWS Identity and Access Management (IAM) role is attached to it. If compromised, these credentials can be used to maliciously invoke APIs based on the permissions defined in the IAM role attached to the instance. When an alert is generated, you can now also see the AWS account ID of the account the credentials were used from in the Amazon GuardDuty console, or the Finding JSON. If the remote AWS account the credentials are used from is not affiliated with your AWS account, meaning that the accounts are not part of your GuardDuty multi-account setup, then the finding severity will be high. Alternatively, if the remote AWS account is affiliated with your AWS account, then the finding severity will be medium. GuardDuty will also learn commonly-used cross-account networking topologies to reduce the volume of findings generated for expected use cases, such as when AWS Transit Gateway is used to route traffic between two AWS accounts.

Available globally, Amazon GuardDuty continuously monitors for malicious or unauthorized behavior to help protect your AWS resources, including your AWS accounts, access keys, EC2 instances, and data stored in S3. Powered by threat intelligence, machine learning, and anomaly detection techniques to detect threats, GuardDuty is continuously evolving to help you protect your AWS environment. You can enable your 30-day free trial of Amazon GuardDuty with a single-click in the AWS Management console. To learn more, see Amazon GuardDuty Findings, and to receive programmatic updates on new Amazon GuardDuty features and threat detections, please subscribe to the Amazon GuardDuty SNS topic.