Skip to content

Instantly share code, notes, and snippets.

@0xdabbad00
Created August 3, 2021 23:06
Show Gist options
  • Save 0xdabbad00/470d535522d4bc8233aa304c196c4a13 to your computer and use it in GitHub Desktop.
Save 0xdabbad00/470d535522d4bc8233aa304c196c4a13 to your computer and use it in GitHub Desktop.
Guardduty announcement to SNS 2021.08.03
[{
"version": "1",
"type": "UPDATED_FINDINGS",
"featureDetails": [{
"featureDescription": "Changes to Amazon GuardDuty finding type 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration'. We are notifying you of a change to the name and behavior of the Amazon GuardDuty finding 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' that will take effect on September 6, 2021. We are making these changes to improve the accuracy of this finding type, and in preparation for the upcoming release of a new Amazon GuardDuty finding type. These changes will take affect in all Amazon GuardDuty supported AWS regions. The finding type name 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' will be replaced with the name 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS'. The renamed finding type 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS' will improve the accuracy of the existing finding type by learning the remote networks that instance credentials associated with your AWS account are used from. Once GuardDuty learns the expected behavior, it will only generate an alert if the remote network the EC2 instance credentials are used from is unusual for your account. If you have set up any downstream automation using the existing finding name, you should add similar automation based on the new finding name ahead of the changes on September 6, 2021. This update will also be sent via email to GuardDuty administrator accounts. If you have any questions about this upcoming change, please reach out to AWS Support, https://console.aws.amazon.com/support/home#/",
"featureLink": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltration"
}]
},
{
"version": "1",
"type": "NEW_FEATURE",
"featureDetails": [{
"featureDescription": "Changes to Amazon GuardDuty Service Linked Role (SLR). We are notifying you of changes to the Amazon GuardDuty SLR. These changes are have been made in preparation for the upcoming release of a new Amazon GuardDuty finding type. The following new permissions have been added to the Amazon GuardDuty SLR: ec2:DescribeVpcEndpoints, ec2:DescribeSubnets, ec2:DescribeVpcPeeringConnections, ec2:DescribeTransitGatewayAttachments. This update will also be sent via email to GuardDuty administrator accounts. If you have any questions about this upcoming change, please reach out to AWS Support, https: //console.aws.amazon.com/support/home#/",
"featureLink": "https://docs.aws.amazon.com/guardduty/latest/ug/using-service-linked-roles.html"
}]
}]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment