Malicious activity

AWS GuardDuty detects suspicious usage of instance profile credentials

Risk Level

Imminent Compromised (2)

Compliance Frameworks


External usage of instance profile credentials was found by AWS GuardDuty service on {AwsIamRole} and the IAM role is permissive or attached to many instances in the account. AWS GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity. The service detected one of the following types of suspicious activity: (UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS, UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS).