Topic 1 Question 173
A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadata. The company uses Amazon GuardDuty and AWS Audit Manager. The company has enabled AWS CloudTrail logging and Amazon CloudWatch logging for all of its AWS accounts.
A security engineer must determine if the credentials were used to access the company's resources from an external account.
Which solution will provide this information?
Review GuardDuty findings to find InstanceCredentialExfiltration events.
Review assessment reports in the Audit Manager console to find InstanceCredentialExfiltration events.
Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.
Review CloudWatch logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.
ユーザの投票
コメント(11)
- 👍 4Zek2024/05/14
- 👍 4PegasusForever2024/06/16
A UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS
Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from an external IP address. Default severity: High
Data source: CloudTrail management events or S3 data events
This finding informs you that a host outside of AWS has attempted to run AWS API operations using temporary AWS credentials that were created on an EC2 instance in your AWS environment. The listed EC2 instance might be compromised, and the temporary credentials from this instance might have been exfiltrated to a remote host outside of AWS.
👍 3grekh0012024/06/06
シャッフルモード