Suspicious activity

AWS GuardDuty detects suspicious usage of instance profile credentials


External usage of instance profile credentials was found by AWS GuardDuty service on {AwsIamRole} and the IAM role is permissive or attached to many instances in the account. AWS GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity. The service detected one of the following types of suspicious activity: (UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS, UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS).