Why doesn't access from Kali Linux appear in GuardDuty

Question

I have a Kali OS running as a docker container. From this I ssh into an Ubuntu machine which is a managed instance and is appearing in GuardDuty for the other tests i have done (Custom threat list)

I ssh into this ubuntu from kali linux. 
I queried the EC2 instances and S3 buckets from CLI.

But none of these activities appeared as suspicious in the AWS GuardDuty.

I was expecting it to come as a finding, as this could be a case of pilfered credentials used to access this AWS account from an attacker OS.

It should have at least picked up the S3 access in this category i think: 
PenTest:S3/KaliLinux

Answer

Are you running the AWS CLI commands from within the Ubuntu machine after SSH'ing into it? If so, based on the Amazon GuardDuty docs for PenTest:S3/KaliLinux, this sounds like expected behavior. In this case, the API requests are executing in the context of the Ubuntu instance and will appear to originate from that OS (not Kali).

If you're able to, you may want to try installing the AWS CLI in your Kali Linux container and query the S3 APIs from it directly. I would expect this approach to trigger the GuardDuty rules you're looking for in your testing.

Why doesn't access from Kali Linux appear in GuardDuty

관련 콘텐츠