Vendors Amazon Web Services AWS GuardDuty GuardDuty IAM Finding Types

GuardDuty IAM Finding Types

Threat detection for IAM credentials and access keys

AWS GuardDuty IAM finding types including anomalous behaviors for credential access, defense evasion, privilege escalation, data exfiltration, root credential usage, API calls from malicious IPs or Tor nodes, and CloudTrail logging manipulation

iam credentials access-keys threat-detection account-compromise

JSON Format 10 Fields Medium Frequency Generator

Preview Sample View Schema

Overview

GuardDuty IAM findings detect suspicious activity related to IAM entities, access keys, and AWS credentials. These findings use machine learning anomaly detection and threat intelligence to identify credential theft, privilege escalation, defense evasion, root credential misuse, and API calls from malicious sources.

When Generated:

Anomalous API calls for credential access (GetPasswordData, GetSecretValue)
Defense evasion tactics (DeleteFlowLogs, DisableAlarmActions, StopLogging)
Privilege escalation attempts (AddUserToGroup, PutUserPolicy, AssociateIamInstanceProfile)
Root user credential usage (policy violations)
API calls from malicious IP addresses or Tor exit nodes
Penetration testing tools detected (Kali, Parrot, Pentoo Linux)
CloudTrail logging disabled
Password policy weakened or deleted
Multiple worldwide console logins
EC2 instance credential exfiltration
Data exfiltration behaviors
Persistence mechanisms established

Security Relevance:

Critical

Compliance:

PCI-DSS 8.2, 10.2 HIPAA 164.308(a)(5) SOC 2 CC6.1, CC6.6 ISO 27001 A.9.2, A.9.4 NIST CSF PR.AC-1, DE.CM-1 CIS AWS Foundations 1.1-1.22

Frequency Notes:

IAM findings frequency varies by environment. Organizations with active threat hunting see 30-100 findings per hour. Anomalous behavior findings use ML and require training period. Root credential usage should be rare (0-5 per day). Credential exfiltration and privilege escalation are high-severity but lower frequency (5-20 per day). API calls from malicious IPs or Tor nodes indicate active attacks (10-50 per hour during attacks).

Resources

Documentation

GuardDuty IAM Finding Types official
Remediating Compromised AWS Credentials official
GuardDuty Anomaly Detection official

Tools

AWS IAM Access Analyzer
Analyze IAM policies and external access
AWS CloudTrail
View API activity history

Generation Configuration

Base Frequency: 40 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 3.0x

Night Hours Multiplier: 1.5x

Weekend Multiplier: 1.0x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
detail.type Source: random_choice() of 25 IAM finding types	String	Required	—	GuardDuty IAM finding type indicating attack tactic and detection method	`PrivilegeEscalation:IAMUser/AnomalousBehavior`	`CredentialAccess:IAMUser/AnomalousBehavior` — Anomalous API for credential access (GetPasswordData, GetSecretValue) `DefenseEvasion:IAMUser/AnomalousBehavior` — API to evade detection (DeleteFlowLogs, DisableAlarmActions) `DefenseEvasion:IAMUser/BedrockLoggingDisabled` — Bedrock model invocation logging was disabled `Discovery:IAMUser/AnomalousBehavior` — API for resource discovery (DescribeInstances, ListAccessKeys) `Exfiltration:IAMUser/AnomalousBehavior` — API for data exfiltration (PutBucketReplication, CreateSnapshot) `Impact:IAMUser/AnomalousBehavior` — API to tamper with data (DeleteSecurityGroup, UpdateUser) `InitialAccess:IAMUser/AnomalousBehavior` — API for initial access (StartSession, GetAuthorizationToken) `Persistence:IAMUser/AnomalousBehavior` — API to maintain access (CreateAccessKey, ModifyInstanceAttribute) `PrivilegeEscalation:IAMUser/AnomalousBehavior` — API for privilege escalation (AddUserToGroup, PutUserPolicy) `Policy:IAMUser/RootCredentialUsage` — Root user credentials used (policy violation) `PenTest:IAMUser/KaliLinux` — API invoked from Kali Linux penetration testing tool `Recon:IAMUser/MaliciousIPCaller` — Reconnaissance API from known malicious IP `Recon:IAMUser/TorIPCaller` — Reconnaissance API from Tor exit node `Stealth:IAMUser/CloudTrailLoggingDisabled` — CloudTrail logging was disabled `Stealth:IAMUser/PasswordPolicyChange` — Account password policy was weakened `UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B` — Multiple worldwide successful console logins `UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS` — EC2 instance credentials used from external IP `UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS` — EC2 instance credentials used from another AWS account `UnauthorizedAccess:IAMUser/MaliciousIPCaller` — API invoked from known malicious IP address `UnauthorizedAccess:IAMUser/TorIPCaller` — API invoked from Tor exit node
detail.resource.accessKeyDetails.accessKeyId Source: random_choice(['AKIA', 'ASIA']) + random_string(16)	String	Required	`AKIA or ASIA followed by 16 alphanumeric characters`	IAM access key ID involved in the finding	`AKIAIOSFODNN7EXAMPLE`	—
detail.resource.accessKeyDetails.userType Source: random_choice(['IAMUser', 'AssumedRole', 'Root', 'FederatedUser'])	String	Required	—	Type of IAM principal	`IAMUser`	`IAMUser` — Standard IAM user `AssumedRole` — Temporary credentials from assumed role `Root` — AWS account root user `FederatedUser` — Federated identity user
detail.resource.accessKeyDetails.userName Source: random_choice() from registry users or common names	String	Required	—	Name of the IAM user or role	`admin-user`	—
detail.service.action.awsApiCallAction.api Source: random_choice() of common IAM-related APIs	String	Required	—	AWS API operation that was invoked	`GetPasswordData`	—
detail.service.action.awsApiCallAction.serviceName Source: random_choice() of AWS service domains	String	Required	—	AWS service where API was called	`iam.amazonaws.com`	—
detail.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 Source: random_public_ip()	String	Required	`IPv4`	Source IP address of API call	`203.0.113.42`	—
detail.service.action.awsApiCallAction.userAgent Source: random_choice() of common user agents	String	Required	—	User agent string of API caller	`aws-cli/2.13.5 Python/3.11.4 Linux/5.15.0`	—
detail.service.additionalInfo.unusual Source: Object with unusual behavior flags	Object	Optional	—	ML model analysis of unusual behaviors for anomalous findings	`{"userIdentity": {"userName": "anomalous"}}`	—
detail.severity Source: random_choice([2, 2, 5, 5, 5, 5, 8, 8])	Integer	Required	—	Finding severity level (0-10)	`5`	`2` — Low severity (1.0-3.9) `5` — Medium severity (4.0-6.9) `8` — High severity (7.0-8.9)

Details

Fields

Medium

Frequency

Feedback

No ratings yet