amazon-guardduty-hands-on icon indicating copy to clipboard operation
amazon-guardduty-hands-on copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

GuardDuty Not Detecting IAM Role Credential Exfiltration

Open cloudlessk opened this issue 4 years ago • 3 comments

I have successfully completed the first portion of this section where I have queried DynamoDB data, accessed all the parameter stores and deleted parameters.

However, no signals are appearing on the GuardDuty console which match with "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration."

Can this be portion of the tutorial be fixed please, thanks.

cloudlessk avatar Feb 15 '21 06:02 cloudlessk

@cloudlessk is right. I haven't been able to reproduce "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration" findings by following the tutorial either.

djn658 avatar Feb 24 '21 18:02 djn658

I am also seeing this issue

charliejllewellyn avatar May 10 '22 07:05 charliejllewellyn

I was also seeing this issue. However, it seems I was just not patient enough. The finding eventually came in (~20-30 mins after I ran the command). I suspect it took time for the event to be picked up by CloudTrail and propagated to GuardDuty.

ironspur5 avatar May 12 '22 18:05 ironspur5