News

AWS GuardDuty Now Detects EC2 Instance Credential Exfiltration

• By John K. Waters
• 01/27/2022

Amazon Web Services (AWS) added a new capability to Amazon GuardDuty this week that allows the threat detection service to spot Elastic Compute Cloud (EC2) instance credentials being used by other AWS accounts.

Amazon GuardDuty was designed to monitor continuously for malicious activity and unauthorized behavior on AWS accounts, workloads and data stored in Amazon Simple Storage Service (Amazon S3). As Sébastien Stormacq, AWS principle developer advocate, described it in a blog post:

Informed by a multitude of public and AWS-generated data feeds and powered by machine learning, GuardDuty analyzes billions of events in pursuit of trends, patterns, and anomalies that are recognizable signs that something is amiss. You can enable it with a click and see the first findings within minutes.

Since its launch in 2017, GuardDuty has been able to detect when EC2 instance credentials are used from IP addresses outside AWS. These are the temporary credentials made available through the EC2 metadata service to any applications running on an instance when an AWS Identity and Access Management (IAM) role is attached to it. If a malicious actor gains access to an instance's meta data service, they could extract the credential -- permissions that define the IAM role attached to it.

When anomalies are detected outside AWS, the service delivers a detailed security alert to the AWS account owner, making alerts actionable and easy to integrate with existing event management and workflow systems.

The new capability was added to GuardDuty to thwart clever attackers who hide their activities by using credentials from other AWS accounts inside the AWS network, the company explained in a statement. GuardDuty now generates alerts when it detects a misuse of EC2 instance credentials used from an affiliated account (accounts monitored by the same GuardDuty administrator account, also known as GuardDuty Member Accounts). GuardDuty allows users to terminate compromised instances or shut down an application to prevent an attacker from extracting renewed instance credentials upon expiration.

The new capability is enabled by default at no additional cost on AWS accounts.