I received GuardDuty UnauthorizedAccess brute force finding type alerts for my Amazon EC2 instance. What should I do?

3 minute read
0

Amazon GuardDuty detected alerts for the UnauthorizedAccess:EC2/RDPBruteForce or UnauthorizedAccess:EC2/SSHBruteForce finding types for my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

Brute force attacks can indicate unauthorized access to your AWS resources. For more information, see the UnauthorizedAccess:EC2/RDPBruteForce and UnauthorizedAccess:EC2/SSHBruteForce finding types.

Resolution

Follow these instructions to check the GuardDuty finding type description, finding IDs, and detector IDs for more details about the brute force attack.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Check the GuardDuty finding type description

Follow the instructions to view and analyze your GuardDuty findings.

In the finding details pane, note the title of the finding type similar to the following:

"198.51.100.0 is performing RDP brute force attacks against i-99999999. Brute force attacks are used to gain unauthorized access to your instance by guessing the RDP password."

In this example, the description indicates which Amazon EC2 instance is affected, the direction of the brute force attack, and the IP address.

Check the GuardDuty finding IDs and detector IDs

To check the GuardDuty finding IDs and detector IDs, follow these steps:

  1. Open the GuardDuty console.

  2. In the navigation pane, choose Findings.

  3. In Finding type, choose the UnauthorizedAccess finding type.

  4. In the finding type details pane, choose the Finding ID.

  5. In Findings JSON, note the GuardDuty finding and detector IDs.

  6. Run this AWS CLI command:
    Note: Replace your-detector-id and your-findings-id with your GuardDuty detector and finding IDs.

    aws guardduty get-findings --detector-id your-detector-id --finding-ids your-findings-id --query 'Findings[].Service.Action.NetworkConnectionAction.ConnectionDirection'

    You receive an output similar to the following:

    [    "INBOUND"
    ]
  7. Run this AWS CLI command:

      
    aws guardduty get-findings --detector-id your-detector-id --finding-ids your-findings-id --query 'Findings[].Service.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4'

    You receive an output similar to the following:

    [    "198.51.100.0"
    ]
    

In this example, the Amazon EC2 instance security group allows SSH/RDP traffic which allows access to all traffic on the internet.

To mitigate the issue, you can restrict SSH/RDP traffic for only a set of IP addresses authorized to access the Amazon EC2 instance.

To restrict SSH traffic, add a rule for inbound SSH traffic to a Linux instance.

To restrict RDP traffic, add a rule for inbound RDP traffic to a Windows instance.

Related information

How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

How do I use GuardDuty to identify SSH brute force attacks on Linux instances?

How do I set up a trusted IP address list for GuardDuty?

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago