Knowledge Base

An EC2 instance has received an API call from the Tor network (GuardDuty)

Provider: AWS
Service: iam
Severity: Medium


Amazon GuardDuty provides monitoring and alerting based on analysis of VPC Flow Logs, CloudTrail logs, and DNS logs. It can alert you about traffic to or from sources that are known to be malicious. It can also identify unusual patterns in AWS account activity. GuardDuty reports when an EC2 instance has received an API from an exit node on the Tor network. This may be evidence that your account has been compromised and that the attacker is using Tor to conceal identity or origin data.

Suggested Action

Verify that IAM credentials used for this API access are valid and needed. Change credentials if there is any doubt.


You will incur additional charges for the service. Amazon GuardDuty is priced based on the number of events and amount of traffic analyzed.


Framework Name Control # Control Description
nist-csf 1.1 Monitor for unauthorized access
us-hipaa-164 2017-10-01 308.a.6.ii Response and Reporting
nist-sp800-171 Revision 1 3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
nist-sp800-171 Revision 1 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
nist-sp800-171 Revision 1 3.14.7 Identify unauthorized use of organizational systems.
aicpa-soc-2 2017 cc7.2 Monitor for anomlies


  • You can find more information about Amazon GuardDuty at this link
  • You can find more information about GuardDuty unauthorized findings at this link
  • You can find instructions for remediating AWS credentials and EC2 instances at this link