Why did I receive a GuardDuty finding type UnauthorizedAccess:IAMUser/TorIPCaller or Recon:IAMUser/TorIPCaller alerts for my IAM user or role?

Short description

The UnauthorizedAccess:IAMUser/TorIPCaller and Recon:IAMUser/TorIPCaller finding types show that your AWS Identity and Access Management (IAM) identity credentials or access keys were used. The IAM credentials or access keys were used to make an API operation to AWS from a Tor exit node IP address.

For example, you can get this error when you try to do the following actions: create an Amazon Elastic Compute Cloud (Amazon EC2) instance, list access key IDs, or modify IAM permissions. These finding types can also mean that IAM identity credentials or access keys are associated with unauthorized activity. For more information, see Finding types.

Resolution

Use GuardDuty to locate the IAM access key, and AWS CloudTrail to identify the AWS API activity. Complete the following steps:

1. To review GuardDuty findings, use the GuardDuty console.
2. Select a finding to see more details. Note the IAM access key ID.
3. Search for IAM access key API activity. Follow the instructions in the Use CloudTrail event history section in How can I monitor the account activity of specific IAM users, roles, and AWS access keys?

If you confirm that the activity is a legitimate use of AWS credentials, then you can:

• Ignore the finding type.
• Archive the finding type.
• Create suppression rules to automatically archive new finding types.

If you confirm that the activity isn't a legitimate use of AWS credentials, then it's a security best practice to assume that all AWS credentials are compromised. Follow these instructions to remediate compromised AWS credentials.

For more information, see What do I do if I notice unauthorized activity in my AWS account?

Related information

What to do if you inadvertently expose an AWS access key