0xdabbad00/InstanceCredentialExfiltration.InsideAWS

## InstanceCredentialExfiltration.InsideAWS
{
    "version": "1",
    "type": "NEW_FINDINGS",
    "findingDetails": [{
        "link": "",
        "findingType": " UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS",
        "findingDescription": "On January 20, 2022 Amazon GuardDuty will add a new finding type to inform you when your EC2 instance credentials are used from another AWS account. Augmenting the existing GuardDuty capability to detect when your EC2 instance credentials are used from outside of AWS, the new finding type limits a malicious actor’s ability to evade detection by using the EC2 instance credentials from another AWS account. If you are an existing GuardDuty customer then you don’t need to take any action to start using this new capability to monitor you control plane operations as captured in AWS CloudTrail. If you are also a GuardDuty S3 Protection customer then this new threat detection will further inform you when EC2 instance credentials are used from another AWS account to invoke S3 data plane operations (e.g. LISTs/PUTs/GETs). The new finding type includes two new fields: service.action.awsApiCallAction.remoteAccountDetails.accountId shows the AWS account ID of the remote account the EC2 credentials were used from, and service.action.awsApiCallAction.remoteAccountDetails.affiliated provides context on whether the remote account is affiliated with the account that the credentials are associated with. Two accounts are affiliated when they are part of the same GuardDuty multi-account setup. If the accounts are not affiliated then the finding severity will be high, and if they are affiliated it will be medium. To reduce finding volume for expected use cases, GuardDuty also learns commonly used cross-account networking topologies, such as when AWS Transit Gateway is used to route traffic between two AWS accounts. To further reduce finding volume for expected use cases, you can also use the newly added finding fields to create GuardDuty finding suppression rules. For example by creating a suppression rule using the new finding type name and the remote account ID. With the release of this new finding type, the GuardDuty documentation will be updated with additional details on suggested steps to take when this finding is generated for your account."
    }]
}
	{
	"version": "1",
	"type": "NEW_FINDINGS",
	"findingDetails": [{
	"link": "",
	"findingType": " UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS",
	"findingDescription": "On January 20, 2022 Amazon GuardDuty will add a new finding type to inform you when your EC2 instance credentials are used from another AWS account. Augmenting the existing GuardDuty capability to detect when your EC2 instance credentials are used from outside of AWS, the new finding type limits a malicious actor’s ability to evade detection by using the EC2 instance credentials from another AWS account. If you are an existing GuardDuty customer then you don’t need to take any action to start using this new capability to monitor you control plane operations as captured in AWS CloudTrail. If you are also a GuardDuty S3 Protection customer then this new threat detection will further inform you when EC2 instance credentials are used from another AWS account to invoke S3 data plane operations (e.g. LISTs/PUTs/GETs). The new finding type includes two new fields: service.action.awsApiCallAction.remoteAccountDetails.accountId shows the AWS account ID of the remote account the EC2 credentials were used from, and service.action.awsApiCallAction.remoteAccountDetails.affiliated provides context on whether the remote account is affiliated with the account that the credentials are associated with. Two accounts are affiliated when they are part of the same GuardDuty multi-account setup. If the accounts are not affiliated then the finding severity will be high, and if they are affiliated it will be medium. To reduce finding volume for expected use cases, GuardDuty also learns commonly used cross-account networking topologies, such as when AWS Transit Gateway is used to route traffic between two AWS accounts. To further reduce finding volume for expected use cases, you can also use the newly added finding fields to create GuardDuty finding suppression rules. For example by creating a suppression rule using the new finding type name and the remote account ID. With the release of this new finding type, the GuardDuty documentation will be updated with additional details on suggested steps to take when this finding is generated for your account."
	}]
	}