Why did I receive the GuardDuty finding type alert UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS for my Amazon EC2 instance?

2 minute read
0

Amazon GuardDuty detected alerts for the UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS finding type.

Short description

The GuardDuty finding type UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS indicates that AWS credentials that were created exclusively for an Amazon Elastic Compute Cloud (Amazon EC2) instance through an instance launch role are being used from an external IP address.

Resolution

Follow the instructions to view and analyze your GuardDuty findings. Then, in the findings detail pane, note the external IP address and IAM user name.

The external IP address is safe

If the external IP address is owned by you or someone that you trust, then you can auto-archive the findings with a suppression rule.

The external IP address is malicious

  1. If the external IP address is malicious, then you can deny all permissions to the IAM user.

Note: Permissions for the IAM user are denied for all EC2 instances.

  1. Create an IAM policy with an explicit deny to block access to the EC2 instance for the IAM user similar to the following:

Note: Replace your-roleID and your-role-session-name with the Principal ID.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:userId": "your-roleId:your-role-session-name"
        }
      }
    }
  ]
}
  1. Follow the instructions for remediating a compromised EC2 instance.

Note: As a security best practice, be sure to require the use of IMDSv2 on an existing instance.


AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago