AWS IAM user making API requests with hacking tools
New announcements from Dash: Incident Management, Continuous Profiler, and more! New announcements from Dash!
<  Back to rules search

AWS IAM user making API requests with hacking tools

guardduty

Overview

Goal

Detect when an AWS IAM user makes API requests with hacking tools.

Strategy

This rule lets you monitor these GuardDuty integration findings:

Triage & Response

  1. Determine which user triggered the signal. This can be found in the signal.
  2. Determine if the user’s credentials are compromised.
  3. If the user’s credentials are compromised:
  • Review the AWS documentation on remediating compromised AWS credentials.