AWS GuardDuty now detects EC2 instance credential exfiltration

Amazon Web Services (AWS), added a new capability this week to Amazon GuardDuty that allows the threat detection service, Amazon GuardDuty, to spot Elastic Compute Cloud instance credentials being used for other AWS accounts.
Amazon GuardDuty was created to continuously monitor for malicious activity and unauthorized behaviour on AWS accounts, workloads, and data stored in Amazon Simple Storage Service. (Amazon S3) Sebastien Stormacq is the AWS principal developer advocate. He described it in a blog post.
GuardDuty is powered by machine learning and based on a variety of public and AWS-generated data streams, GuardDuty analyses billions of events to find patterns, trends, and anomalies that can be used to identify signs of something amiss. It is easy to enable it and you will see the first findings in minutes.
GuardDuty was launched in 2017 and has been able detect instances where EC2 credentials are being used from IP addresses other than AWS. These temporary credentials are made available via the EC2 metadata to all applications running on an instance that has an AWS Identity and Access Management role attached. A malicious actor could gain access to an instance’s metadata service and extract the credential — permissions which define the IAM role attached.
AWS provides detailed security alerts to account owners when anomalies are detected outside of AWS. This makes it easy to integrate alerts with existing event management and workflow systems.
GuardDuty added this capability to protect against clever attackers who use credentials from other AWS accounts within the AWS network to hide their activities, the company stated in a statement. GuardDuty now generates alerts if it detects a misused EC2 instance credential from an affiliated account (accounts that are monitored by the same GuardDuty administrator account also known as GuardDuty member accounts). GuardDuty allows users the ability to terminate compromised instances and shut down an application in order to prevent an attacker extracting renewed instance credentials after expiration.
The new capability is automatically enabled on AWS accounts at no additional cost.