An EC2 instance has received an API call from the Tor network (GuardDuty)
Amazon GuardDuty provides monitoring and alerting based on analysis of VPC Flow Logs, CloudTrail logs, and DNS logs. It can alert you about traffic to or from sources that are known to be malicious. It can also identify unusual patterns in AWS account activity. GuardDuty reports when an EC2 instance has received an API from an exit node on the Tor network. This may be evidence that your account has been compromised and that the attacker is using Tor to conceal identity or origin data.
Verify that IAM credentials used for this API access are valid and needed. Change credentials if there is any doubt.
You will incur additional charges for the service. Amazon GuardDuty is priced based on the number of events and amount of traffic analyzed.
|Framework Name||Control #||Control Description|
|nist-csf 1.1||de.cm.7||Monitor for unauthorized access|
|us-hipaa-164 2017-10-01||308.a.6.ii||Response and Reporting|
|nist-sp800-171 Revision 1||3.4.7||Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.|
|nist-sp800-171 Revision 1||3.14.6||Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.|
|nist-sp800-171 Revision 1||3.14.7||Identify unauthorized use of organizational systems.|
|aicpa-soc-2 2017||cc7.2||Monitor for anomlies|