I received GuardDuty UnauthorizedAccess brute force finding type alerts for my Amazon EC2 instance. What should I do?

3 minute read

Amazon GuardDuty detected alerts for the UnauthorizedAccess:EC2/RDPBruteForce or UnauthorizedAccess:EC2/SSHBruteForce finding types for my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

Brute force attacks can indicate unauthorized access to your AWS resources. For more information, see Finding types.

Resolution

Follow these instructions to check the GuardDuty finding type description, finding IDs, and detector IDs for more details about the brute force attack.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Check the GuardDuty finding type description

Follow the instructions to view and analyze your GuardDuty findings.

In the finding details pane, note the title of the finding type similar to the following:

"198.51.100.0 is performing RDP brute force attacks against i-99999999. Brute force attacks are used to gain unauthorized access to your instance by guessing the RDP password."

In this example, the description indicates which Amazon EC2 instance is impacted, the direction of the brute force attack, and the IP address.

Check the GuardDuty finding IDs and detector IDs

1. Open the GuardDuty console.

2. In the navigation pane, choose Findings.

3. In Finding type, choose the UnauthorizedAccess finding type.

4. In the finding type details pane, choose the Finding ID.

5. In Findings JSON, note the GuardDuty finding and detector IDs.

6. Run this AWS CLI command:

Note: Replace your-detector-id and your-findings-id with your GuardDuty detector and finding IDs.

aws guardduty get-findings --detector-id your-detector-id --finding-ids your-findings-id --query 'Findings[].Service.Action.NetworkConnectionAction.ConnectionDirection'

You receive an output similar to the following:

[
    "INBOUND"
]

7. Run this AWS CLI command:

aws guardduty get-findings --detector-id your-detector-id --finding-ids your-findings-id --query 'Findings[].Service.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4'

You receive an output similar to the following:

[
    "198.51.100.0"
]

In this example, the Amazon EC2 instance security group allows SSH/RDP traffic and is open to the public.

To mitigate the issue, you can restrict SSH/RDP traffic for only a set of IP addresses authorized to access the Amazon EC2 instance.

To restrict SSH traffic, see Adding a rule for inbound SSH traffic to a Linux instance.

To restrict RDP traffic, see Adding a rule for inbound RDP traffic to a Windows instance.

Related information

How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

How do I use GuardDuty to identify SSH brute force attacks on Linux instances?

How do I set up a trusted IP address list for GuardDuty?

Topics

Security, Identity, & Compliance

Relevant content

Why GuardDuty keeps alerting my instance "Trojan:EC2/DGADomainRequest.B"
DD-Boom
asked 9 months ago
EC2 GuardDuty Runtime monitor what type of findings should we expect?
davec
asked 2 months ago
What Type of EC2 Instance Should I Use?
dkraft19
asked a year ago
EC2 Instance No Response after Force Stop
AWS-User-2646245
asked 2 years ago
EC2 Will not Force Stop
ChadHD
asked 3 years ago
Why did I receive the GuardDuty finding type alert UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS for my Amazon EC2 instance?
AWS OFFICIALUpdated 11 days ago
How can AWS WAF help prevent brute force login attacks?
AWS OFFICIALUpdated 2 years ago
Why did I receive the GuardDuty finding type alert Recon:EC2/PortProbeUnprotectedPort for my Amazon EC2 instance?
AWS OFFICIALUpdated 2 years ago
How do I use GuardDuty to identify SSH brute force attacks on Linux instances?
AWS OFFICIALUpdated a year ago
How can I see the Trailing 3-month Spot Discount for each instance type and Availability Zone?
EXPERT
Christopher Morris
published 4 months ago