Knowledge Base

An EC2 instance has received an API call from the Tor network requesting configuration information (GuardDuty)

Provider: AWS
Service: iam
Severity: Medium


Amazon GuardDuty provides monitoring and alerting based on analysis of VPC Flow Logs, CloudTrail logs, and DNS logs. It can alert you about traffic to or from sources that are known to be malicious. It can also identify unusual patterns in AWS account activity. GuardDuty reports when an EC2 instance has received an API from an exit node on the Tor network. The API call was an attempt to read configuration information. This may be evidence of a reconnaissance action in which the attacker is using the Tor network to conceal their origin and identity.

Suggested Action

Verify that IAM credentials used for this API access are valid and needed. Change credentials if there is any doubt.


You will incur additional charges for the service. Amazon GuardDuty is priced based on the number of events and amount of traffic analyzed.


Framework Name Control # Control Description
nist-csf 1.1 Monitor for unauthorized access
us-hipaa-164 2017-10-01 308.a.6.ii Response and Reporting
nist-sp800-171 Revision 1 3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
nist-sp800-171 Revision 1 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
nist-sp800-171 Revision 1 3.14.7 Identify unauthorized use of organizational systems.
aicpa-soc-2 2017 cc7.2 Monitor for anomlies


  • You can find more information about Amazon GuardDuty at this link
  • You can find more information about GuardDuty recon findings at this link
  • You can find instructions for remediating AWS credentials and EC2 instances at this link