Amazon GuardDuty added the detection of EC2 instance credentials being used by other AWS accounts. This improves upon the previous state where only credentials being used by IP addresses outside of the AWS network were reported on. This new detection is available within all regions.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior within AWS accounts and workloads. The service can be centrally managed across multiple AWS accounts and requires no additional software or hardware to be installed.
The new threat detection responds to EC2 instance credentials being used from another AWS account. EC2 instance credentials are temporary credentials that are made available from the EC2 instance metadata service (IMDS). These can then be provided to applications running on the EC2 instance to authorize activities permitted by the attached AWS IAM role.
If the credentials is been used from an affiliated account, as in an account monitored by the same GuardDuty admin account, then the alert is labeled as medium severity. All other detections are labeled as high severity.
These credentials could be compromised if, for example, an application running on the EC2 instance has an open exploit. A malicious actor could leverage that application to access the IMDS and extract the credentials. Those credentials have permissions as granted by the attached IAM role, meaning the actor now can act as if they are the application on the EC2 instance.
There are a number of possible ways that the credentials can become compromised, including leveraging a RCE vulnerability. Application-level vulnerabilities can also be exploited such as SSRF or XXE injection.
The new threat detection is available now within all regions at no additional cost.its enabled automatically when GuardDuty is enabled.