< Back to rules search
AWS EC2 instance credential exfiltrated
Set up the guardduty integration.
Detect when an AWS API call is made from a non EC2 IP for a credential which is scoped to an EC2 Instance.
This rule lets you monitor this GuardDuty integration finding:
Triage & Response
- Determine the EC2 instance this credential is scoped to. This can be found in the samples.
- Determine if the EC2 instance credentials are compromised.
- If the instance is compromised:
- Review the AWS documentation on remediating a compromised EC2 instance.