Why did I receive an Amazon GuardDuty finding type UnauthorizedAccess:IAMUser/TorIPCaller or Recon:IAMUser/TorIPCaller alerts for my IAM user or role?
2 minute read
0
Amazon GuardDuty detected alerts for the UnauthorizedAccess:IAMUser/TorIPCaller or Recon:IAMUser/TorIPCaller finding types.
Short description
The UnauthorizedAccess:IAMUser/TorIPCaller and Recon:IAMUser/TorIPCaller finding types indicate that your AWS Identity and Access Management (IAM) identity credentials or access keys were used to make an API operation to AWS from a Tor exit node IP address. For example, you can get this error when trying to create an Amazon Elastic Compute Cloud (Amazon EC2) instance, list access key IDs, or modify IAM permissions. These finding types can also indicate that IAM identity credentials or access keys have been associated unauthorized activity. For more information, see Finding types.
Resolution
Use GuardDuty to locate the IAM access key, and AWS CloudTrail to identify the AWS API activity.
If you confirm that the activity isn't a legitimate use of AWS credentials, it's a security best practice to assume that all AWS credentials are compromised. Follow these instructions to remediate compromised AWS credentials.