Skip to content

Amazon GuardDuty now detects EC2 instance credentials used from another AWS account

Amazon GuardDuty introduces a new threat detection that informs you when your EC2 instance credentials are used to invoke APIs from an IP address that is owned by a different AWS account than the one that the associated EC2 instance is running in. The new finding type is: UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS. While Amazon GuardDuty has always informed you when your EC2 instance credentials were used from outside of AWS, this new threat detection limits a malicious actor’s ability to evade detection by using the EC2 instance credentials from another AWS account.

Source:: Amazon AWS