Features
Integrations
Dashboards
Log Management
APM
Security Monitoring
Network Monitoring
Synthetic Monitoring
Real User Monitoring
Serverless
Alerts
API
< Back to rules search
AWS EC2 Instance Credential Exfiltrated
Classification:
threat-intel
Set up the guardduty integration.
Overview
Goal
Detect when an AWS API call is made from a non EC2 IP for a credential which is scoped to an EC2 Instance.
Strategy
This rule lets you monitor this GuardDuty integration finding:
Triage & Response
- Determine the EC2 instance this credential is scoped to. This can be found in the samples.
- Determine if the EC2 instance credentials are compromised.
- If the instance is compromised:
- Review the AWS documentation on remediating a compromised EC2 instance.
On this Page