I received GuardDuty UnauthorizedAccess brute force finding type alerts for my Amazon EC2 instance. What should I do?

3 minutos de lectura

Amazon GuardDuty detected alerts for the UnauthorizedAccess:EC2/RDPBruteForce or UnauthorizedAccess:EC2/SSHBruteForce finding types for my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

Brute force attacks can indicate unauthorized access to your AWS resources. For more information, see Finding types.


Follow these instructions to check the GuardDuty finding type description, finding IDs, and detector IDs for more details about the brute force attack.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Check the GuardDuty finding type description

Follow the instructions to view and analyze your GuardDuty findings.

In the finding details pane, note the title of the finding type similar to the following:

" is performing RDP brute force attacks against i-99999999. Brute force attacks are used to gain unauthorized access to your instance by guessing the RDP password."

In this example, the description indicates which Amazon EC2 instance is impacted, the direction of the brute force attack, and the IP address.

Check the GuardDuty finding IDs and detector IDs

1.    Open the GuardDuty console.

2.    In the navigation pane, choose Findings.

3.    In Finding type, choose the UnauthorizedAccess finding type.

4.    In the finding type details pane, choose the Finding ID.

5.    In Findings JSON, note the GuardDuty finding and detector IDs.

6.    Run this AWS CLI command:

Note: Replace your-detector-id and your-findings-id with your GuardDuty detector and finding IDs.

aws guardduty get-findings --detector-id your-detector-id --finding-ids your-findings-id --query 'Findings[].Service.Action.NetworkConnectionAction.ConnectionDirection'

You receive an output similar to the following:


7.    Run this AWS CLI command:

aws guardduty get-findings --detector-id your-detector-id --finding-ids your-findings-id --query 'Findings[].Service.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4'

You receive an output similar to the following:


In this example, the Amazon EC2 instance security group allows SSH/RDP traffic and is open to the public.

To mitigate the issue, you can restrict SSH/RDP traffic for only a set of IP addresses authorized to access the Amazon EC2 instance.

To restrict SSH traffic, see Adding a rule for inbound SSH traffic to a Linux instance.

To restrict RDP traffic, see Adding a rule for inbound RDP traffic to a Windows instance.

Related information

How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

How do I use GuardDuty to identify SSH brute force attacks on Linux instances?

How do I set up a trusted IP address list for GuardDuty?

OFICIAL DE AWSActualizada hace 2 años