Amazon GuardDuty detected alerts for the UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS finding type.
The GuardDuty finding type UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS indicates that AWS credentials that were created exclusively for an Amazon Elastic Compute Cloud (Amazon EC2) instance through an instance launch role are being used from an external IP address.
Follow the instructions to view and analyze your GuardDuty findings. Then, in the findings detail pane, note the external IP address and IAM user name.
If the external IP address is owned by you or someone that you trust, then you can auto-archive the findings with a suppression rule.
Note: Permissions for the IAM user are denied for all EC2 instances.
Note: Replace your-roleID and your-role-session-name with the Principal ID.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "*" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "aws:userId": "your-roleId:your-role-session-name" } } } ] }
Note: As a security best practice, be sure to require the use of IMDSv2 on an existing instance.