GuardDuty IAM finding types - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

GuardDuty IAM finding types

The following findings are specific to IAM entities and access keys and always have a Resource Type of AccessKey. The severity and details of the findings differ based on the finding type.

The findings listed here include the data sources and models used to generate that finding type. For more information data sources and models see How Amazon GuardDuty uses its data sources.

For all IAM related findings, we recommend that you examine the entity in question and ensure that their permissions follow the best practice of least privilege. If the activity is unexpected, the credentials may be compromised. See actions detailed in Remediating compromised Amazon credentials.

CredentialAccess:IAMUser/AnomalousBehavior

An API used to gain access to an Amazon environment was invoked in an anomalous way.

Default severity: Medium

  • Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with the credential access stage of an attack when an adversary is attempting to collect passwords, user names, and access keys for your environment. The APIs in this category are GetPasswordData, GetSecretValue, and GenerateDbAuthToken.

This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

DefenseEvasion:IAMUser/AnomalousBehavior

An API used to evade defensive measures was invoked in an anomalous way.

Default severity: Medium

  • Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with defense evasion tactics where an adversary is trying to cover their tracks and avoid detection. APIs in this category are typically delete, disable, or stop operations, such as, DeleteFlowLogs, DisableAlarmActions, or StopLogging.

This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

Discovery:IAMUser/AnomalousBehavior

An API commonly used to discover resources was invoked in an anomalous way.

Default severity: Low

  • Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with the discovery stage of an attack when an adversary is gathering information to determine if your Amazon environment is susceptible to a broader attack. APIs in this category are typically get, describe, or list operations, such as, DescribeInstances, GetRolePolicy, or ListAccessKeys.

This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

Exfiltration:IAMUser/AnomalousBehavior

An API commonly used to collect data from an Amazon environment was invoked in an anomalous way.

Default severity: High

  • Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with exfiltration tactics where an adversary is trying to collect data from your network using packaging and encryption to avoid detection. APIs for this finding type are management (control-plane) operations only and are typically related to S3, snapshots, and databases, such as, PutBucketReplication, CreateSnapshot, or RestoreDBInstanceFromDBSnapshot.

This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

Impact:IAMUser/AnomalousBehavior

An API commonly used to tamper with data or processes in an Amazon environment was invoked in an anomalous way.

Default severity: High

  • Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with impact tactics where an adversary is trying to disrupt operations and manipulate, interrupt, or destroy data in your account. APIs for this finding type are typically delete, update, or put operations, such as, DeleteSecurityGroup, UpdateUser, or PutBucketPolicy.

This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

InitialAccess:IAMUser/AnomalousBehavior

An API commonly used to gain unauthorized access to an Amazon environment was invoked in an anomalous way.

Default severity: Medium

  • Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with the initial access stage of an attack when an adversary is attempting to establish access to your environment. APIs in this category are typically get token, or session operations, such as, GetFederationToken, StartSession, or GetAuthorizationToken.

This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

PenTest:IAMUser/KaliLinux

An API was invoked from a Kali Linux EC2 machine.

Default severity: Medium

  • Data source: CloudTrail management event

This finding informs you that a machine running Kali Linux is making API calls using credentials that belong to the listed Amazon account in your environment. Kali Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your Amazon environment.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

PenTest:IAMUser/ParrotLinux

An API was invoked from a Parrot Security Linux machine.

Default severity: Medium

  • Data source: CloudTrail management event

This finding informs you that a machine running Parrot Security Linux is making API calls using credentials that belong to the listed Amazon account in your environment. Parrot Security Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your Amazon environment.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

PenTest:IAMUser/PentooLinux

An API was invoked from a Pentoo Linux machine.

Default severity: Medium

  • Data source: CloudTrail management event

This finding informs you that a machine running Pentoo Linux is making API calls using credentials that belong to the listed Amazon account in your environment. Pentoo Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your Amazon environment.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

Persistence:IAMUser/AnomalousBehavior

An API commonly used to maintain unauthorized access to an Amazon environment was invoked in an anomalous way.

Default severity: Medium

  • Data source: CloudTrail management event

This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with persistence tactics where an adversary has gained access to your environment and is attempting to maintain that access. APIs in this category are typically create, import, or modify operations, such as, CreateAccessKey, ImportKeyPair, or ModifyInstanceAttribute.

This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

Policy:IAMUser/RootCredentialUsage

An API was invoked using root credentials.

Default severity: Low

  • Data source: CloudTrail management events or CloudTrail data events

This finding informs you that the root credentials of the listed Amazon account in your environment are being used to make requests to Amazon services. It is recommended that users never use root credentials to access Amazon services. Instead, Amazon services should be accessed using least privilege temporary credentials from Amazon Security Token Service (STS). For situations where Amazon STS is not supported, IAM user credentials are recommended. For more information, see IAM Best Practices

Note

If S3 threat detection is enabled for the account this finding may be generated in response to attempts to run S3 data plane operations on S3 resources using the root credentials of the Amazon account. The API call used will be listed in the finding details. If S3 threat detection is not enabled this finding can only be triggered by Event log APIs. For more information on S3 threat detection see S3 protection.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

PrivilegeEscalation:IAMUser/AnomalousBehavior

An API commonly used to obtain high-level permissions to an Amazon environment was invoked in an anomalous way.

Default severity: Medium

  • Data source: CloudTrail management events

This finding informs you that an anomalous API request was observed in your account. This finding may include a single API or a series of related API requests made in proximity by a single user identity. The API observed is commonly associated with privilege escalation tactics where an adversary is attempting to gain higher-level permissions to an environment . APIs in this category typically involve operations that change IAM policies, roles, and users, such as, AssociateIamInstanceProfile, AddUserToGroup, or PutUserPolicy.

This API request was identified as anomalous by GuardDuty's anomaly detection machine learning (ML) model. The ML model evaluates all API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the API request, such as, the user that made the request, the location the request was made from, and the specific API that was requested. Details on which factors of the API request are unusual for the user identity that invoked the request can be found in the finding details.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

Recon:IAMUser/MaliciousIPCaller

An API was invoked from a known malicious IP address.

Default severity: Medium

  • Data source: CloudTrail management events

This finding informs you that an API operation that can list or describe Amazon resources in an account within your environment was invoked from an IP address that is included on a threat list. An attacker may use stolen credentials to perform this type of reconnaissance of your Amazon resources in order to find more valuable credentials or determine the capabilities of the credentials they already have.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

Recon:IAMUser/MaliciousIPCaller.Custom

An API was invoked from a known malicious IP address.

Default severity: Medium

  • Data source: CloudTrail management events

This finding informs you that an API operation that can list or describe Amazon resources in an account within your environment was invoked from an IP address that is included on a custom threat list. The threat list used will be listed in the finding's details. An attacker might use stolen credentials to perform this type of reconnaissance of your Amazon resources in order to find more valuable credentials or determine the capabilities of the credentials they already have.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

Recon:IAMUser/TorIPCaller

An API was invoked from a Tor exit node IP address.

Default severity: Medium

  • Data source: CloudTrail management events

This finding informs you that an API operation that can list or describe Amazon resources in an account within your environment was invoked from a Tor exit node IP address. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. An attacker would use Tor to mask their true identity.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

Stealth:IAMUser/CloudTrailLoggingDisabled

Amazon CloudTrail logging was disabled.

Default severity: Low

  • Data source: CloudTrail management events

This finding informs you that a CloudTrail trail within your Amazon environment was disabled. This can be an attacker's attempt to disable logging to cover their tracks by eliminating any trace of their activity while gaining access to your Amazon resources for malicious purposes. This finding can be triggered by a successful deletion or update of a trail. This finding can also be triggered by a successful deletion of an S3 bucket that stores the logs from a trail that is associated with GuardDuty.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

Stealth:IAMUser/PasswordPolicyChange

Account password policy was weakened.

Default severity: Low*

Note

This finding's severity can be Low, Medium, or High depending on the severity of the changes made to password policy.

  • Data source: CloudTrail management events

The Amazon account password policy was weakened on the listed account within your Amazon environment. For example, it was deleted or updated to require fewer characters, not require symbols and numbers, or required to extend the password expiration period. This finding can also be triggered by an attempt to update or delete your Amazon account password policy. The Amazon account password policy defines the rules that govern what kinds of passwords can be set for your IAM users. A weaker password policy permits the creation of passwords that are easy to remember and potentially easier to guess, thereby creating a security risk.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B

Multiple worldwide successful console logins were observed.

Default severity: Medium

  • Data source: CloudTrail management events

This finding informs you that multiple successful console logins for the same IAM user were observed around the same time in various geographical locations. Such anomalous and risky access location patterns indicate potential unauthorized access to your Amazon resources.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS

Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from another account within Amazon.

Default severity: High*

Note

This finding's default severity is High. However, if the API was invoked by an account affiliated with your Amazon environment, the severity is Medium.

  • Data source: CloudTrail management events or S3 data events

This finding informs you when your EC2 instance credentials are used to invoke APIs from an IP address that is owned by a different Amazon account than the one that the associated EC2 instance is running in.

Amazon does not recommend redistributing temporary credentials outside of the entity that created them (for example, Amazon applications, EC2, or Lambda). However, authorized users can export credentials from their EC2 instances to make legitimate API calls. If the remoteAccountDetails.Affiliated field is True the API was invoked from an account associated with your Amazon environment. To rule out a potential attack and verify the legitimacy of the activity, contact the IAM user to whom these credentials are assigned.

Remediation recommendations:

In response to this finding you can use the following workflow to determine a course of action:

  1. Identify the remote account involved from the service.action.awsApiCallAction.remoteAccountDetails.accountId field.

  2. Next determine if that account is affiliated with your GuardDuty environment from the service.action.awsApiCallAction.remoteAccountDetails.affiliated field.

  3. If the account is affiliated, contact the remote account owner, and the owner of the EC2 instance credentials to investigate.

  4. If the account is not affiliated, first evaluate is that account is associated with your organization but is not a part of your GuardDuty multi-account set up, or if GuardDuty has not yet been enabled in the account. Otherwise contact the owner of the EC2 credentials to determine if there is a use case for a remote account to use these credentials.

  5. If the owner of the credentials does not recognize the remote account the credentials may have been compromised by a threat actor operating within Amazon. You should take the steps recommended in Remediating a compromised EC2 instance to secure your environment. Additionally you can submit an abuse report to the Amazon Trust and Safety team to begin an investigation into the remote account. When submitting your report to Amazon Trust and Safety please include the full JSON details of the finding.

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS

Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from an external IP address.

Default severity: High

  • Data source: CloudTrail management events or S3 data events

This finding informs you that a host outside of Amazon has attempted to run Amazon API operations using temporary Amazon credentials that were created on an EC2 instance in your Amazon environment. The listed EC2 instance might be compromised, and the temporary credentials from this instance might have been exfiltrated to a remote host outside of Amazon. Amazon does not recommend redistributing temporary credentials outside of the entity that created them (for example, Amazon applications, EC2, or Lambda). However, authorized users can export credentials from their EC2 instances to make legitimate API calls. To rule out a potential attack and verify the legitimacy of the activity, validate if the use of instance credentials from the remote IP in the finding is expected.

Remediation recommendations:

This finding is generated when networking is configured to route internet traffic such that it egresses from an on-premises gateway rather than from a VPC Internet Gateway (IGW). Common configurations, such as using Amazon Outposts, or VPC VPN connections, can result in traffic routed this way. If this is expected behavior, we recommend that you use suppression rules and create a rule that consists of two filter criteria. The first criteria is finding type, which should be UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS. The second filter criteria is API caller IPv4 Address with the IP address or CIDR range of your on-premises internet gateway. To learn more about creating suppression rules see Suppression rules.

Note

If GuardDuty observes continued activity from an external source its machine learning model will identify this as expected behavior and stop generating this finding for activity from that source. GuardDuty will continue to generate findings for new behavior from other sources, and will reevaluate learned sources as behavior changes over time.

If this activity is unexpected your credentials may be compromised, see Remediating compromised Amazon credentials.

UnauthorizedAccess:IAMUser/MaliciousIPCaller

An API was invoked from a known malicious IP address.

Default severity: Medium

  • Data source: CloudTrail management events

This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, modify your Amazon privileges) was invoked from a known malicious IP address. This can indicate unauthorized access to Amazon resources within your environment.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom

An API was invoked from an IP address on a custom threat list.

Default severity: Medium

  • Data source: CloudTrail management events

This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, modify Amazon privileges) was invoked from an IP address that is included on a threat list that you uploaded. In , a threat list consists of known malicious IP addresses. This can indicate unauthorized access to Amazon resources within your environment.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.

UnauthorizedAccess:IAMUser/TorIPCaller

An API was invoked from a Tor exit node IP address.

Default severity: Medium

  • Data source: CloudTrail management events

This finding informs you that an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, or modify your Amazon privileges) was invoked from a Tor exit node IP address. Tor is software for enabling anonymous communication. It encrypts and randomly bounces communications through relays between a series of network nodes. The last Tor node is called the exit node. This can indicate unauthorized access to your Amazon resources with the intent of hiding the attacker's true identity.

Remediation recommendations:

If this activity is unexpected, your credentials may be compromised. For more information, see Remediating compromised Amazon credentials.