[Update] Amazon GuardDuty Can Now Detect Misuse of Leaked Amazon ECS Credentials

[Update] Amazon GuardDuty Can Now Detect Misuse of Leaked Amazon ECS Credentials

We are now able to detect credential leaks even in ECS Fargate environments! While we were at it, we also verified the investigation capabilities of Amazon GuardDuty Investigation. Very impressive!
2026.07.18

This page has been translated by machine translation. View original

Hello, this is Usuda.

Everyone, are you doing threat detection on AWS? (greeting)

This time, the Amazon GuardDuty findings UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS and UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.InsideAWS have added support for ECS, so let's verify this.

Overview

As usual, the following arrived as a new GuardDuty Findings update.

{
    "version": "1",
    "type": "NEW_FINDINGS",
    "findingDetails": [
        {
            "findingType": "UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS",
            "link": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-resourcecredentialexfiltrationoutsideaws",
            "findingDescription": "This finding informs you that a host outside of AWS has attempted to run AWS API operations using temporary AWS credentials that were created on an ECS resource in your AWS environment."
        },
        {
            "findingType": "UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.InsideAWS",
            "link": "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-resourcecredentialexfiltrationinsideaws",
            "findingDescription": "This finding informs you that a host within AWS has attempted to run AWS API operations using temporary AWS credentials that were created on an ECS resource in your AWS environment."
        }
    ]
}

The documentation link is here.

It says NEW_FINDINGS, but it's actually an update. (Why is that?)

Previously, this detection type was implemented to detect when AWS Lambda credentials were leaked and used externally.

https://dev.classmethod.jp/articles/amazon-guardduty-resource-credential-exfiltration/

In addition to EC2 and Lambda credentials, it is now possible to detect when ECS credentials are leaked as well.

OutsideAWS detects cases where execution occurred from outside AWS, and InsideAWS detects cases where execution occurred from a different AWS account.

Tried It Out

This time, I'll trigger UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS detection using ECS on Fargate. It should work fine with ECS on EC2, so being able to detect it on Fargate is a great outcome.

First, I ran a task on Fargate, accessed it via ECS Exec, and obtained some credentials. Then I tried using them from an environment outside AWS. Details are omitted.

After waiting a moment, Amazon GuardDuty detected it.

001_guardduty_ecs_exfiltration

It was properly detected as UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS. You can also confirm from the summary that it was executed from an external IP.

Looking at the details, the affected resources include information about the ECS task role. It also shows the launch type as FARGATE, confirming that detection works properly in a Fargate environment!

002_guardduty_ecs_exfiltration

Additionally, ListUsers is listed as an API executed from outside, and detailed information about the origin is shown.

003_guardduty_ecs_exfiltration

Using this as a starting point, you can further trace AWS CloudTrail logs to investigate what activities were performed.

Additional Investigation

Normally I would wrap things up here, but Amazon GuardDuty recently added the Amazon GuardDuty Investigation feature as a preview!

https://dev.classmethod.jp/articles/guardduty-investigation-preview-trial/

This feature allows you to perform additional AI-powered investigation on detected findings! Since it's currently in preview, you can use it for free!

So I tried it out to see how far the investigation could go.

First, I ran the investigation from the Investigation feature by specifying the Finding ID. After a while (6 minutes in this case), the investigation was complete, so let's take a look.

First, the risk level was detected as High. Since credentials were actually leaked, this makes sense.

004_guardduty_ecs_exfiltration

The summary text is a bit lengthy, but the findings are summarized. Among them:

  • CloudTrail logs show execution results from two IPs
  • One was from the Tokyo region, and the other was executed from outside with a macOS user agent
  • From outside, iam:ListUsers and s3:ListBuckets were executed but both failed
  • The external execution occurred 3-4 minutes after the internal AWS execution
  • Activity within 7 days before and after the incident was investigated for the related access key, cluster, role, session, and attacker's IP address, but no other related events were found

These points are explained in the summary.

It's a bit hard to read, but you can see that it investigated quite thoroughly. The details of what happened and the related attacker activity have already been investigated. Excellent!

Below that, there is information mapped to MITRE ATT&CK,

005_guardduty_ecs_exfiltration

along with recommendations on how to respond.

007_guardduty_ecs_exfiltration

This really speeds up investigation and response.

Summary

Amazon GuardDuty now supports detection of credential leaks in ECS.

It's especially great that Fargate is now supported!

Additionally, it was confirmed that the Investigation feature is very powerful. I'd like to continue making active use of it going forward.

Share this article

AWSのお困り事はクラスメソッドへ