# GuardDuty finding types
A finding is a notification that GuardDuty generates when it detects an indication of a suspicious or malicious activity in your Amazon Web Services account. GuardDuty generates a finding in an account that has enabled GuardDuty.
For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see [Document history for Amazon GuardDuty](doc-history.md).
For information about finding types which are now retired, see [Retired finding types](guardduty_finding-types-retired.md).
## GuardDuty finding types by potentially impacted resources
The following pages are categorized by the potentially impacted resource type associated to a GuardDuty finding:
+ [EC2 finding types](guardduty_finding-types-ec2.md)
+ [IAM finding types](guardduty_finding-types-iam.md)
+ [Attack sequence finding types](guardduty-attack-sequence-finding-types.md)
+ [S3 Protection finding types](guardduty_finding-types-s3.md)
+ [EKS Protection finding types](guardduty-finding-types-eks-audit-logs.md)
+ [Runtime Monitoring finding types](findings-runtime-monitoring.md)
+ [Malware Protection for EC2 finding types](findings-malware-protection.md)
+ [Malware Protection for S3 finding type](gdu-malware-protection-s3-finding-types.md)
+ [Malware Protection for Backup finding types](findings-malware-protection-backup.md)
+ [RDS Protection finding types](findings-rds-protection.md)
+ [Lambda Protection finding types](lambda-protection-finding-types.md)
## GuardDuty active finding types
The following table shows all of the active finding types sorted by the foundational data source or feature, as applicable. In the following table, some of the findings have their *Finding severity* column values marked with an asterisk (\*) or a plus sign (\+):
\*These finding types have variable severity. A finding of a particular type may have a different severity depending on the context specific to the finding. For more information about a finding type, view its detailed description.
\+EC2 findings that use VPC flow logs as a data source do not support IPv6 traffic.
| Finding type | Resource type | Foundational data source/Feature | Finding severity |
| --- | --- | --- | --- |
| [Discovery:S3/AnomalousBehavior](guardduty_finding-types-s3.md#discovery-s3-anomalousbehavior) | Amazon S3 | CloudTrail data events for S3 | Low |
| [Discovery:S3/MaliciousIPCaller](guardduty_finding-types-s3.md#discovery-s3-maliciousipcaller) | Amazon S3 | CloudTrail data events for S3 | High |
| [Discovery:S3/MaliciousIPCaller.Custom](guardduty_finding-types-s3.md#discovery-s3-maliciousipcallercustom) | Amazon S3 | CloudTrail data events for S3 | High |
| [Discovery:S3/TorIPCaller](guardduty_finding-types-s3.md#discovery-s3-toripcaller) | Amazon S3 | CloudTrail data events for S3 | Medium |
| [Exfiltration:S3/AnomalousBehavior](guardduty_finding-types-s3.md#exfiltration-s3-anomalousbehavior) | Amazon S3 | CloudTrail data events for S3 | High |
| [Exfiltration:S3/MaliciousIPCaller](guardduty_finding-types-s3.md#exfiltration-s3-maliciousipcaller) | Amazon S3 | CloudTrail data events for S3 | High |
| [Impact:EC2/MaliciousDomainRequest.Custom](guardduty_finding-types-ec2.md#impact-ec2-maliciousdomainrequest-custom) | Amazon EC2 | DNS logs | Medium |
| [Impact:S3/AnomalousBehavior.Delete](guardduty_finding-types-s3.md#impact-s3-anomalousbehavior-delete) | Amazon S3 | CloudTrail data events for S3 | High |
| [Impact:S3/AnomalousBehavior.Permission](guardduty_finding-types-s3.md#impact-s3-anomalousbehavior-permission) | Amazon S3 | CloudTrail data events for S3 | High |
| [Impact:S3/AnomalousBehavior.Write](guardduty_finding-types-s3.md#impact-s3-anomalousbehavior-write) | Amazon S3 | CloudTrail data events for S3 | Medium |
| [Impact:S3/MaliciousIPCaller](guardduty_finding-types-s3.md#impact-s3-maliciousipcaller) | Amazon S3 | CloudTrail data events for S3 | High |
| [PenTest:S3/KaliLinux](guardduty_finding-types-s3.md#pentest-s3-kalilinux) | Amazon S3 | CloudTrail data events for S3 | Medium |
| [PenTest:S3/ParrotLinux](guardduty_finding-types-s3.md#pentest-s3-parrotlinux) | Amazon S3 | CloudTrail data events for S3 | Medium |
| [PenTest:S3/PentooLinux](guardduty_finding-types-s3.md#pentest-s3-pentoolinux) | Amazon S3 | CloudTrail data events for S3 | Medium |
| [UnauthorizedAccess:S3/TorIPCaller](guardduty_finding-types-s3.md#unauthorizedaccess-s3-toripcaller) | Amazon S3 | CloudTrail data events for S3 | High |
| [UnauthorizedAccess:S3/MaliciousIPCaller.Custom](guardduty_finding-types-s3.md#unauthorizedaccess-s3-maliciousipcallercustom) | Amazon S3 | CloudTrail data events for S3 | High |
| [CredentialAccess:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#credentialaccess-iam-anomalousbehavior) | IAM | CloudTrail management events | Medium |
| [CredentialAccess:IAMUser/CompromisedCredentials](guardduty_finding-types-iam.md#credentialaccess-iam-compromisedcredentials) | IAM | CloudTrail management events or CloudTrail data events for S3 | High |
| [DefenseEvasion:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#defenseevasion-iam-anomalousbehavior) | IAM | CloudTrail management events | Medium |
| [DefenseEvasion:IAMUser/BedrockLoggingDisabled](guardduty_finding-types-iam.md#defenseevasion-iam-bedrockloggingdisabled) | IAM | CloudTrail management events | Medium |
| [Discovery:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#discovery-iam-anomalousbehavior) | IAM | CloudTrail management events | Low |
| [Exfiltration:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#exfiltration-iam-anomalousbehavior) | IAM | CloudTrail management events | High |
| [Impact:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#impact-iam-anomalousbehavior) | IAM | CloudTrail management events | High |
| [InitialAccess:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#initialaccess-iam-anomalousbehavior) | IAM | CloudTrail management events | Medium |
| [PenTest:IAMUser/KaliLinux](guardduty_finding-types-iam.md#pentest-iam-kalilinux) | IAM | CloudTrail management events | Medium |
| [PenTest:IAMUser/ParrotLinux](guardduty_finding-types-iam.md#pentest-iam-parrotlinux) | IAM | CloudTrail management events | Medium |
| [PenTest:IAMUser/PentooLinux](guardduty_finding-types-iam.md#pentest-iam-pentoolinux) | IAM | CloudTrail management events | Medium |
| [Persistence:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#persistence-iam-anomalousbehavior) | IAM | CloudTrail management events | Medium |
| [Stealth:IAMUser/PasswordPolicyChange](guardduty_finding-types-iam.md#stealth-iam-passwordpolicychange) | IAM | CloudTrail management events | Low[*](#gdu-active-findings-variable-severity) |
| [UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS](guardduty_finding-types-iam.md#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) | IAM | CloudTrail management events | High[*](#gdu-active-findings-variable-severity) |
| [Policy:S3/AccountBlockPublicAccessDisabled](guardduty_finding-types-s3.md#policy-s3-accountblockpublicaccessdisabled) | Amazon S3 | CloudTrail management events | Low |
| [Policy:S3/BucketAnonymousAccessGranted](guardduty_finding-types-s3.md#policy-s3-bucketanonymousaccessgranted) | Amazon S3 | CloudTrail management events | High |
| [Policy:S3/BucketBlockPublicAccessDisabled](guardduty_finding-types-s3.md#policy-s3-bucketblockpublicaccessdisabled) | Amazon S3 | CloudTrail management events | Low |
| [Policy:S3/BucketPublicAccessGranted](guardduty_finding-types-s3.md#policy-s3-bucketpublicaccessgranted) | Amazon S3 | CloudTrail management events | High |
| [PrivilegeEscalation:IAMUser/AnomalousBehavior](guardduty_finding-types-iam.md#privilegeescalation-iam-anomalousbehavior) | IAM | CloudTrail management events | Medium |
| [Recon:IAMUser/MaliciousIPCaller](guardduty_finding-types-iam.md#recon-iam-maliciousipcaller) | IAM | CloudTrail management events | Medium |
| [Recon:IAMUser/MaliciousIPCaller.Custom](guardduty_finding-types-iam.md#recon-iam-maliciousipcallercustom) | IAM | CloudTrail management events | Medium |
| [Recon:IAMUser/TorIPCaller](guardduty_finding-types-iam.md#recon-iam-toripcaller) | IAM | CloudTrail management events | Medium |
| [Stealth:IAMUser/CloudTrailLoggingDisabled](guardduty_finding-types-iam.md#stealth-iam-cloudtrailloggingdisabled) | IAM | CloudTrail management events | Low |
| [Stealth:S3/ServerAccessLoggingDisabled](guardduty_finding-types-s3.md#stealth-s3-serveraccessloggingdisabled) | Amazon S3 | CloudTrail management events | Low |
| [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B](guardduty_finding-types-iam.md#unauthorizedaccess-iam-consoleloginsuccessb) | IAM | CloudTrail management events | Medium |
| [UnauthorizedAccess:IAMUser/MaliciousIPCaller](guardduty_finding-types-iam.md#unauthorizedaccess-iam-maliciousipcaller) | IAM | CloudTrail management events | Medium |
| [UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom](guardduty_finding-types-iam.md#unauthorizedaccess-iam-maliciousipcallercustom) | IAM | CloudTrail management events | Medium |
| [UnauthorizedAccess:IAMUser/TorIPCaller](guardduty_finding-types-iam.md#unauthorizedaccess-iam-toripcaller) | IAM | CloudTrail management events | Medium |
| [Policy:IAMUser/RootCredentialUsage](guardduty_finding-types-iam.md#policy-iam-rootcredentialusage) | IAM | CloudTrail management events or CloudTrail data events for S3 | Low |
| [Policy:IAMUser/ShortTermRootCredentialUsage](guardduty_finding-types-iam.md#policy-iam-user-short-term-root-credential-usage) | IAM | CloudTrail management events or CloudTrail data events for S3 | Low |
| [UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS](guardduty_finding-types-iam.md#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) | IAM | CloudTrail management events or CloudTrail data events for S3 | High |
| [UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS](guardduty_finding-types-iam.md#unauthorizedaccess-iam-resourcecredentialexfiltrationoutsideaws) | IAM | CloudTrail management events or CloudTrail data events for S3 | High |
| [AttackSequence:EKS/CompromisedCluster](guardduty-attack-sequence-finding-types.md#attack-sequence-eks-compromised-cluster) | Resources involved in attack sequence | [See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/guardduty_finding-types-active.html) | Critical |
| [AttackSequence:IAM/CompromisedCredentials](guardduty-attack-sequence-finding-types.md#attack-sequence-iam-compromised-credentials) | Resources involved in attack sequence | CloudTrail management events | Critical |
| [AttackSequence:S3/CompromisedData](guardduty-attack-sequence-finding-types.md#attack-sequence-s3-compromised-data) | Resources involved in attack sequence | CloudTrail management events and CloudTrail data events for S3 | Critical |
| [AttackSequence:ECS/CompromisedCluster](guardduty-attack-sequence-finding-types.md#attack-sequence-ecs-compromised-cluster) | Resources involved in attack sequence | [See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/guardduty_finding-types-active.html) | Critical |
| [AttackSequence:EC2/CompromisedInstanceGroup](guardduty-attack-sequence-finding-types.md#attack-sequence-ec2-compromised-instance-group) | Resources involved in attack sequence | [See the AWS documentation website for more details](http://docs.amazonaws.cn/en_us/guardduty/latest/ug/guardduty_finding-types-active.html) | Critical |
| [Backdoor:EC2/C&CActivity.B\!DNS](guardduty_finding-types-ec2.md#backdoor-ec2-ccactivitybdns) | Amazon EC2 | DNS logs | High |
| [CryptoCurrency:EC2/BitcoinTool.B\!DNS](guardduty_finding-types-ec2.md#cryptocurrency-ec2-bitcointoolbdns) | Amazon EC2 | DNS logs | High |
| [Impact:EC2/AbusedDomainRequest.Reputation](guardduty_finding-types-ec2.md#impact-ec2-abuseddomainrequestreputation) | Amazon EC2 | DNS logs | Medium |
| [Impact:EC2/BitcoinDomainRequest.Reputation](guardduty_finding-types-ec2.md#impact-ec2-bitcoindomainrequestreputation) | Amazon EC2 | DNS logs | High |
| [Impact:EC2/MaliciousDomainRequest.Reputation](guardduty_finding-types-ec2.md#impact-ec2-maliciousdomainrequestreputation) | Amazon EC2 | DNS logs | High |
| [Impact:EC2/SuspiciousDomainRequest.Reputation](guardduty_finding-types-ec2.md#impact-ec2-suspiciousdomainrequestreputation) | Amazon EC2 | DNS logs | Low |
| [Trojan:EC2/BlackholeTraffic\!DNS](guardduty_finding-types-ec2.md#trojan-ec2-blackholetrafficdns) | Amazon EC2 | DNS logs | Medium |
| [Trojan:EC2/DGADomainRequest.B](guardduty_finding-types-ec2.md#trojan-ec2-dgadomainrequestb) | Amazon EC2 | DNS logs | High |
| [Trojan:EC2/DGADomainRequest.C\!DNS](guardduty_finding-types-ec2.md#trojan-ec2-dgadomainrequestcdns) | Amazon EC2 | DNS logs | High |
| [Trojan:EC2/DNSDataExfiltration](guardduty_finding-types-ec2.md#trojan-ec2-dnsdataexfiltration) | Amazon EC2 | DNS logs | High |
| [Trojan:EC2/DriveBySourceTraffic\!DNS](guardduty_finding-types-ec2.md#trojan-ec2-drivebysourcetrafficdns) | Amazon EC2 | DNS logs | High |
| [Trojan:EC2/DropPoint\!DNS](guardduty_finding-types-ec2.md#trojan-ec2-droppointdns) | Amazon EC2 | DNS logs | Medium |
| [Trojan:EC2/PhishingDomainRequest\!DNS](guardduty_finding-types-ec2.md#trojan-ec2-phishingdomainrequestdns) | Amazon EC2 | DNS logs | High |
| [UnauthorizedAccess:EC2/MetadataDNSRebind](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-metadatadnsrebind) | Amazon EC2 | DNS logs | High |
| [Execution:Container/MaliciousFile](findings-malware-protection.md#execution-malware-container-maliciousfile) | Container | EBS Malware Protection | Varies depending on the detected threat |
| [Execution:Container/SuspiciousFile](findings-malware-protection.md#execution-malware-container-suspiciousfile) | Container | EBS Malware Protection | Varies depending on the detected threat |
| [Execution:EC2/MaliciousFile](findings-malware-protection.md#execution-malware-ec2-maliciousfile) | Amazon EC2 | EBS Malware Protection | Varies depending on the detected threat |
| [Execution:EC2/SuspiciousFile](findings-malware-protection.md#execution-malware-ec2-suspiciousfile) | Amazon EC2 | EBS Malware Protection | Varies depending on the detected threat |
| [Execution:ECS/MaliciousFile](findings-malware-protection.md#execution-malware-ecs-maliciousfile) | ECS | EBS Malware Protection | Varies depending on the detected threat |
| [Execution:ECS/SuspiciousFile](findings-malware-protection.md#execution-malware-ecs-suspiciousfile) | ECS | EBS Malware Protection | Varies depending on the detected threat |
| [Execution:Kubernetes/MaliciousFile](findings-malware-protection.md#execution-malware-kubernetes-maliciousfile) | Kubernetes | EBS Malware Protection | Varies depending on the detected threat |
| [Execution:Kubernetes/SuspiciousFile](findings-malware-protection.md#execution-malware-kubernetes-suspiciousfile) | Kubernetes | EBS Malware Protection | Varies depending on the detected threat |
| [Execution:EC2/MaliciousFile\!Snapshot](findings-malware-protection-backup.md#execution-malware-ec2-maliciousfile-snapshot) | Amazon EBS | Malware Protection for Backup | Varies depending on the detected threat |
| [Execution:EC2/MaliciousFile\!AMIA malicious file has been detected in an EC2 AMI.](findings-malware-protection-backup.md#execution-malware-ec2-maliciousfile-ami) | Amazon EC2 | Malware Protection for Backup | Varies depending on the detected threat |
| [Execution:EC2/MaliciousFile\!RecoveryPoint](findings-malware-protection-backup.md#execution-malware-ec2-maliciousfile-recoverypoint) | Amazon Backup | Malware Protection for Backup | Varies depending on the detected threat |
| [Execution:S3/MaliciousFile\!RecoveryPoint](findings-malware-protection-backup.md#execution-malware-s3-maliciousfile-recoverypoint) | Amazon Backup | Malware Protection for Backup | Varies depending on the detected threat |
| [CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed](guardduty-finding-types-eks-audit-logs.md#credaccess-kubernetes-anomalousbehavior-secretsaccessed) | Kubernetes | EKS audit logs | Medium |
| [CredentialAccess:Kubernetes/MaliciousIPCaller](guardduty-finding-types-eks-audit-logs.md#credentialaccess-kubernetes-maliciousipcaller) | Kubernetes | EKS audit logs | High |
| [CredentialAccess:Kubernetes/MaliciousIPCaller.Custom](guardduty-finding-types-eks-audit-logs.md#credentialaccess-kubernetes-maliciousipcallercustom) | Kubernetes | EKS audit logs | High |
| [CredentialAccess:Kubernetes/SuccessfulAnonymousAccess](guardduty-finding-types-eks-audit-logs.md#credentialaccess-kubernetes-successfulanonymousaccess) | Kubernetes | EKS audit logs | High |
| [CredentialAccess:Kubernetes/TorIPCaller](guardduty-finding-types-eks-audit-logs.md#credentialaccess-kubernetes-toripcaller) | Kubernetes | EKS audit logs | High |
| [DefenseEvasion:Kubernetes/MaliciousIPCaller](guardduty-finding-types-eks-audit-logs.md#defenseevasion-kubernetes-maliciousipcaller) | Kubernetes | EKS audit logs | High |
| [DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom](guardduty-finding-types-eks-audit-logs.md#defenseevasion-kubernetes-maliciousipcallercustom) | Kubernetes | EKS audit logs | High |
| [DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess](guardduty-finding-types-eks-audit-logs.md#defenseevasion-kubernetes-successfulanonymousaccess) | Kubernetes | EKS audit logs | High |
| [DefenseEvasion:Kubernetes/TorIPCaller](guardduty-finding-types-eks-audit-logs.md#defenseevasion-kubernetes-toripcaller) | Kubernetes | EKS audit logs | High |
| [Discovery:Kubernetes/AnomalousBehavior.PermissionChecked](guardduty-finding-types-eks-audit-logs.md#discovery-kubernetes-anomalousbehavrior-permissionchecked) | Kubernetes | EKS audit logs | Low |
| [Discovery:Kubernetes/MaliciousIPCaller](guardduty-finding-types-eks-audit-logs.md#discovery-kubernetes-maliciousipcaller) | Kubernetes | EKS audit logs | Medium |
| [Discovery:Kubernetes/MaliciousIPCaller.Custom](guardduty-finding-types-eks-audit-logs.md#discovery-kubernetes-maliciousipcallercustom) | Kubernetes | EKS audit logs | Medium |
| [Discovery:Kubernetes/SuccessfulAnonymousAccess](guardduty-finding-types-eks-audit-logs.md#discovery-kubernetes-successfulanonymousaccess) | Kubernetes | EKS audit logs | Medium |
| [Discovery:Kubernetes/TorIPCaller](guardduty-finding-types-eks-audit-logs.md#discovery-kubernetes-toripcaller) | Kubernetes | EKS audit logs | Medium |
| [Execution:Kubernetes/ExecInKubeSystemPod](guardduty-finding-types-eks-audit-logs.md#execution-kubernetes-execinkubesystempod) | Kubernetes | EKS audit logs | Medium |
| [Execution:Kubernetes/AnomalousBehavior.ExecInPod](guardduty-finding-types-eks-audit-logs.md#execution-kubernetes-anomalousbehvaior-execinprod) | Kubernetes | EKS audit logs | Medium |
| [Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed](guardduty-finding-types-eks-audit-logs.md#exec-kubernetes-anomalousbehavior-workloaddeployed) | Kubernetes | EKS audit logs | Low |
| [Impact:Kubernetes/MaliciousIPCaller](guardduty-finding-types-eks-audit-logs.md#impact-kubernetes-maliciousipcaller) | Kubernetes | EKS audit logs | High |
| [Impact:Kubernetes/MaliciousIPCaller.Custom](guardduty-finding-types-eks-audit-logs.md#impact-kubernetes-maliciousipcallercustom) | Kubernetes | EKS audit logs | High |
| [Impact:Kubernetes/SuccessfulAnonymousAccess](guardduty-finding-types-eks-audit-logs.md#impact-kubernetes-successfulanonymousaccess) | Kubernetes | EKS audit logs | High |
| [Impact:Kubernetes/TorIPCaller](guardduty-finding-types-eks-audit-logs.md#impact-kubernetes-toripcaller) | Kubernetes | EKS audit logs | High |
| [Persistence:Kubernetes/ContainerWithSensitiveMount](guardduty-finding-types-eks-audit-logs.md#persistence-kubernetes-containerwithsensitivemount) | Kubernetes | EKS audit logs | Medium |
| [Persistence:Kubernetes/MaliciousIPCaller](guardduty-finding-types-eks-audit-logs.md#persistence-kubernetes-maliciousipcaller) | Kubernetes | EKS audit logs | Medium |
| [Persistence:Kubernetes/MaliciousIPCaller.Custom](guardduty-finding-types-eks-audit-logs.md#persistence-kubernetes-maliciousipcallercustom) | Kubernetes | EKS audit logs | Medium |
| [Persistence:Kubernetes/SuccessfulAnonymousAccess](guardduty-finding-types-eks-audit-logs.md#persistence-kubernetes-successfulanonymousaccess) | Kubernetes | EKS audit logs | High |
| [Persistence:Kubernetes/TorIPCaller](guardduty-finding-types-eks-audit-logs.md#persistence-kubernetes-toripcaller) | Kubernetes | EKS audit logs | Medium |
| [Policy:Kubernetes/AdminAccessToDefaultServiceAccount](guardduty-finding-types-eks-audit-logs.md#policy-kubernetes-adminaccesstodefaultserviceaccount) | Kubernetes | EKS audit logs | High |
| [Policy:Kubernetes/AnonymousAccessGranted](guardduty-finding-types-eks-audit-logs.md#policy-kubernetes-anonymousaccessgranted) | Kubernetes | EKS audit logs | High |
| [Policy:Kubernetes/KubeflowDashboardExposed](guardduty-finding-types-eks-audit-logs.md#policy-kubernetes-kubeflowdashboardexposed) | Kubernetes | EKS audit logs | Medium |
| [Policy:Kubernetes/ExposedDashboard](guardduty-finding-types-eks-audit-logs.md#policy-kubernetes-exposeddashboard) | Kubernetes | EKS audit logs | Medium |
| [PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated](guardduty-finding-types-eks-audit-logs.md#privesc-kubernetes-anomalousbehavior-rolebindingcreated) | Kubernetes | EKS audit logs | Medium[*](#gdu-active-findings-variable-severity) |
| [PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated](guardduty-finding-types-eks-audit-logs.md#privesc-kubernetes-anomalousbehavior-rolecreated) | Kubernetes | EKS audit logs | Low |
| [Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed\!ContainerWithSensitiveMount](guardduty-finding-types-eks-audit-logs.md#privesc-kubernetes-anomalousbehavior-workloaddeployed-containerwithsensitivemount) | Kubernetes | EKS audit logs | High |
| [PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed\!PrivilegedContainer](guardduty-finding-types-eks-audit-logs.md#privesc-kubernetes-anomalousbehavior-workloaddeployed-privcontainer) | Kubernetes | EKS audit logs | High |
| [PrivilegeEscalation:Kubernetes/PrivilegedContainer](guardduty-finding-types-eks-audit-logs.md#privilegeescalation-kubernetes-privilegedcontainer) | Kubernetes | EKS audit logs | Medium |
| [Backdoor:Lambda/C&CActivity.B](lambda-protection-finding-types.md#backdoor-lambda-ccactivity-b) | Lambda | Lambda Network Activity Monitoring | High |
| [CryptoCurrency:Lambda/BitcoinTool.B](lambda-protection-finding-types.md#cryptocurrency-lambda-bitcointool-b) | Lambda | Lambda Network Activity Monitoring | High |
| [Trojan:Lambda/BlackholeTraffic](lambda-protection-finding-types.md#trojan-lambda-blackhole-traffic) | Lambda | Lambda Network Activity Monitoring | Medium |
| [Trojan:Lambda/DropPoint](lambda-protection-finding-types.md#trojan-lambda-drop-point) | Lambda | Lambda Network Activity Monitoring | Medium |
| [UnauthorizedAccess:Lambda/MaliciousIPCaller.Custom](lambda-protection-finding-types.md#unauthorized-access-lambda-maliciousIPcaller-custom) | Lambda | Lambda Network Activity Monitoring | Medium |
| [UnauthorizedAccess:Lambda/TorClient](lambda-protection-finding-types.md#unauthorized-access-lambda-tor-client) | Lambda | Lambda Network Activity Monitoring | High |
| [UnauthorizedAccess:Lambda/TorRelay](lambda-protection-finding-types.md#unauthorized-access-lambda-tor-relay) | Lambda | Lambda Network Activity Monitoring | High |
| [Object:S3/MaliciousFile](gdu-malware-protection-s3-finding-types.md#s3-object-s3-malicious-file) | S3Object | Malware Protection for S3 | High |
| [CredentialAccess:RDS/AnomalousBehavior.FailedLogin](findings-rds-protection.md#credaccess-rds-anombehavior-failedlogin) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | Low |
| [CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce](findings-rds-protection.md#credaccess-rds-anombehavior-successfulbruteforce) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | High |
| [CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin](findings-rds-protection.md#credaccess-rds-anombehavior-successlogin) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | Variable[*](#gdu-active-findings-variable-severity) |
| [CredentialAccess:RDS/MaliciousIPCaller.FailedLogin](findings-rds-protection.md#credaccess-rds-maliciousipcaller-failedlogin) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | Medium |
| [CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin](findings-rds-protection.md#credaccess-rds-maliciousipcaller-successfullogin) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | High |
| [CredentialAccess:RDS/TorIPCaller.FailedLogin](findings-rds-protection.md#credaccess-rds-toripcaller-failedlogin) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | Medium |
| [CredentialAccess:RDS/TorIPCaller.SuccessfulLogin](findings-rds-protection.md#credaccess-rds-toripcaller-successfullogin) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | High |
| [Discovery:RDS/MaliciousIPCaller](findings-rds-protection.md#discovery-rds-maliciousipcaller) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | Medium |
| [Discovery:RDS/TorIPCaller](findings-rds-protection.md#discovery-rds-toripcaller) | [Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases](rds-protection.md#rds-pro-supported-db) | RDS Login Activity Monitoring | Medium |
| [Backdoor:Runtime/C&CActivity.B](findings-runtime-monitoring.md#backdoor-runtime-ccactivityb) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [Backdoor:Runtime/C&CActivity.B\!DNS](findings-runtime-monitoring.md#backdoor-runtime-ccactivitybdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [CryptoCurrency:Runtime/BitcoinTool.B](findings-runtime-monitoring.md#cryptocurrency-runtime-bitcointoolb) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [CryptoCurrency:Runtime/BitcoinTool.B\!DNS](findings-runtime-monitoring.md#cryptocurrency-runtime-bitcointoolbdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [DefenseEvasion:Runtime/FilelessExecution](findings-runtime-monitoring.md#defenseeva-runtime-filelessexecution) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [DefenseEvasion:Runtime/KernelModuleLoaded](findings-runtime-monitoring.md#defenseevasion-runtime-kernelmoduleloaded) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [DefenseEvasion:Runtime/ProcessInjection.Proc](findings-runtime-monitoring.md#defenseeva-runtime-processinjectionproc) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [DefenseEvasion:Runtime/ProcessInjection.Ptrace](findings-runtime-monitoring.md#defenseeva-runtime-processinjectionptrace) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [DefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWrite](findings-runtime-monitoring.md#defenseeva-runtime-processinjectionvirtualmemw) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [DefenseEvasion:Runtime/PtraceAntiDebugging](findings-runtime-monitoring.md#defenseevasion-runtime-ptrace-anti-debug) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Low |
| [DefenseEvasion:Runtime/SuspiciousCommand](findings-runtime-monitoring.md#defenseevasion-runtime-suspicious-command) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [Discovery:Runtime/SuspiciousCommand](findings-runtime-monitoring.md#discovery-runtime-suspicious-command) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Low |
| [Execution:Runtime/MaliciousFileExecuted](findings-runtime-monitoring.md#execution-runtime-malicious-file-executed) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [Execution:Runtime/MaliciousFileExecuted.Custom](findings-runtime-monitoring.md#execution-runtime-malicious-file-executed-custom) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [Execution:Runtime/NewBinaryExecuted](findings-runtime-monitoring.md#execution-runtime-newbinaryexecuted) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [Execution:Runtime/NewLibraryLoaded](findings-runtime-monitoring.md#execution-runtime-newlibraryloaded) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [Execution:Runtime/SuspiciousCommand](findings-runtime-monitoring.md#execution-runtime-suspiciouscommand) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Variable |
| [Execution:Runtime/SuspiciousShellCreated](findings-runtime-monitoring.md#execution-runtime-suspicious-shell-created) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Low |
| [Execution:Runtime/SuspiciousTool](findings-runtime-monitoring.md#execution-runtime-suspicioustool) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Variable |
| [Execution:Runtime/ReverseShell](findings-runtime-monitoring.md#execution-runtime-reverseshell) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [Impact:Runtime/AbusedDomainRequest.Reputation](findings-runtime-monitoring.md#impact-runtime-abuseddomainrequestreputation) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [Impact:Runtime/BitcoinDomainRequest.Reputation](findings-runtime-monitoring.md#impact-runtime-bitcoindomainrequestreputation) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [Impact:Runtime/CryptoMinerExecuted](findings-runtime-monitoring.md#impact-runtime-cryptominerexecuted) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [Impact:Runtime/MaliciousDomainRequest.Reputation](findings-runtime-monitoring.md#impact-runtime-maliciousdomainrequestreputation) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [Impact:Runtime/SuspiciousDomainRequest.Reputation](findings-runtime-monitoring.md#impact-runtime-suspiciousdomainrequestreputation) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Low |
| [Persistence:Runtime/SuspiciousCommand](findings-runtime-monitoring.md#persistence-runtime-suspicious-command) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified](findings-runtime-monitoring.md#privilegeesc-runtime-cgroupsreleaseagentmodified) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [PrivilegeEscalation:Runtime/ContainerMountsHostDirectory](findings-runtime-monitoring.md#privilegeescalation-runtime-containermountshostdirectory) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [PrivilegeEscalation:Runtime/DockerSocketAccessed](findings-runtime-monitoring.md#privilegeesc-runtime-dockersocketaccessed) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [PrivilegeEscalation:Runtime/ElevationToRoot](findings-runtime-monitoring.md#privilegeesc-runtime-elevation-to-root) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [PrivilegeEscalation:Runtime/RuncContainerEscape](findings-runtime-monitoring.md#privilegeesc-runtime-runccontainerescape) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [PrivilegeEscalation:Runtime/SuspiciousCommand](findings-runtime-monitoring.md#privilege-escalation-runtime-suspicious-command) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [PrivilegeEscalation:Runtime/UserfaultfdUsage](findings-runtime-monitoring.md#privilegeescalation-runtime-userfaultfdusage) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [Trojan:Runtime/BlackholeTraffic](findings-runtime-monitoring.md#trojan-runtime-blackholetraffic) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [Trojan:Runtime/BlackholeTraffic\!DNS](findings-runtime-monitoring.md#trojan-runtime-blackholetrafficdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [Trojan:Runtime/DropPoint](findings-runtime-monitoring.md#trojan-runtime-droppoint) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [Trojan:Runtime/DGADomainRequest.C\!DNS](findings-runtime-monitoring.md#trojan-runtime-dgadomainrequestcdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [Trojan:Runtime/DriveBySourceTraffic\!DNS](findings-runtime-monitoring.md#trojan-runtime-drivebysourcetrafficdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [Trojan:Runtime/DropPoint\!DNS](findings-runtime-monitoring.md#trojan-runtime-droppointdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | Medium |
| [Trojan:Runtime/PhishingDomainRequest\!DNS](findings-runtime-monitoring.md#trojan-runtime-phishingdomainrequestdns) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [UnauthorizedAccess:Runtime/MetadataDNSRebind](findings-runtime-monitoring.md#unauthorizedaccess-runtime-metadatadnsrebind) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [UnauthorizedAccess:Runtime/TorClient](findings-runtime-monitoring.md#unauthorizedaccess-runtime-torclient) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [UnauthorizedAccess:Runtime/TorRelay](findings-runtime-monitoring.md#unauthorizedaccess-runtime-torrelay) | Instance, EKS cluster, ECS cluster, or container | Runtime Monitoring | High |
| [Backdoor:EC2/C&CActivity.B](guardduty_finding-types-ec2.md#backdoor-ec2-ccactivityb) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High |
| [Backdoor:EC2/DenialOfService.Dns](guardduty_finding-types-ec2.md#backdoor-ec2-denialofservicedns) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High |
| [Backdoor:EC2/DenialOfService.Tcp](guardduty_finding-types-ec2.md#backdoor-ec2-denialofservicetcp) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High |
| [Backdoor:EC2/DenialOfService.Udp](guardduty_finding-types-ec2.md#backdoor-ec2-denialofserviceudp) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High |
| [Backdoor:EC2/DenialOfService.UdpOnTcpPorts](guardduty_finding-types-ec2.md#backdoor-ec2-denialofserviceudpontcpports) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High |
| [Backdoor:EC2/DenialOfService.UnusualProtocol](guardduty_finding-types-ec2.md#backdoor-ec2-denialofserviceunusualprotocol) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High |
| [Backdoor:EC2/Spambot](guardduty_finding-types-ec2.md#backdoor-ec2-spambot) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium |
| [Behavior:EC2/NetworkPortUnusual](guardduty_finding-types-ec2.md#behavior-ec2-networkportunusual) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium |
| [Behavior:EC2/TrafficVolumeUnusual](guardduty_finding-types-ec2.md#behavior-ec2-trafficvolumeunusual) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium |
| [CryptoCurrency:EC2/BitcoinTool.B](guardduty_finding-types-ec2.md#cryptocurrency-ec2-bitcointoolb) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High |
| [DefenseEvasion:EC2/UnusualDNSResolver](guardduty_finding-types-ec2.md#defenseevasion-ec2-unusualdnsresolver) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium |
| [DefenseEvasion:EC2/UnusualDoHActivity](guardduty_finding-types-ec2.md#defenseevasion-ec2-unsualdohactivity) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium |
| [DefenseEvasion:EC2/UnusualDoTActivity](guardduty_finding-types-ec2.md#defenseevasion-ec2-unusualdotactivity) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium |
| [Impact:EC2/PortSweep](guardduty_finding-types-ec2.md#impact-ec2-portsweep) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High |
| [Impact:EC2/WinRMBruteForce](guardduty_finding-types-ec2.md#impact-ec2-winrmbruteforce) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Low[*](#gdu-active-findings-variable-severity) |
| [Recon:EC2/PortProbeEMRUnprotectedPort](guardduty_finding-types-ec2.md#recon-ec2-portprobeemrunprotectedport) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High |
| [Recon:EC2/PortProbeUnprotectedPort](guardduty_finding-types-ec2.md#recon-ec2-portprobeunprotectedport) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Low[*](#gdu-active-findings-variable-severity) |
| [Recon:EC2/Portscan](guardduty_finding-types-ec2.md#recon-ec2-portscan) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium |
| [Trojan:EC2/BlackholeTraffic](guardduty_finding-types-ec2.md#trojan-ec2-blackholetraffic) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium |
| [Trojan:EC2/DropPoint](guardduty_finding-types-ec2.md#trojan-ec2-droppoint) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium |
| [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-maliciousipcallercustom) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Medium |
| [UnauthorizedAccess:EC2/RDPBruteForce](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-rdpbruteforce) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Low[*](#gdu-active-findings-variable-severity) |
| [UnauthorizedAccess:EC2/SSHBruteForce](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-sshbruteforce) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | Low[*](#gdu-active-findings-variable-severity) |
| [UnauthorizedAccess:EC2/TorClient](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-torclient) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High |
| [UnauthorizedAccess:EC2/TorRelay](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-torrelay) | Amazon EC2 | VPC flow logs[+](#gdu-ec2-finding-no-support-ipv6-traffic) | High |