Suspicious activity

Describe EC2 instance API call was made from Tor IP address

Risk Level

Hazardous (3)



Orca detected that an API call to list EC2 instances was made from Tor IP address - {MaliciousIp.MaliciousIp}. This action may indicate of a presence of an unauthorized actor in the cloud environment, since listing EC2 instances is a common enumeration action attackers conduct in the reconnaissance phase.
  • Recommended Mitigation

    It is recommended to review relevant CloudTrail event and principal's activity that issued this API call.