Malicious activity

AWS GuardDuty detects API calls using an administrative user from suspicious source

Risk Level

Imminent Compromised (2)

Platform(s)
Compliance Frameworks

Description

API calls from suspicious source address using an administrative user were detected by AWS GuardDuty service. AWS GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity. The service detects one of the following types of IAM recon findings (Recon:IAMUser/MaliciousIPCaller, Recon:IAMUser/MaliciousIPCaller, Recon:IAMUser/TorIPCaller) originated from a suspicious source (known Tor exit node or an IP address included on a threat list) using an AWS user with administrative permissions.