AWS Security ChangesHomeSearch

AWS guardduty documentation change

Service: guardduty · 2026-03-10 · Documentation low

File: guardduty/latest/ug/guardduty_finding-types-iam.md

Summary

Added detailed documentation for CredentialAccess:IAMUser/CompromisedCredentials finding type including detection logic and remediation

Security assessment

Introduces documentation for a new security monitoring feature rather than patching a vulnerability

Diff

diff --git a/guardduty/latest/ug/guardduty_finding-types-iam.md b/guardduty/latest/ug/guardduty_finding-types-iam.md
index 1ff938e95..b4371559b 100644
--- a//guardduty/latest/ug/guardduty_finding-types-iam.md
+++ b//guardduty/latest/ug/guardduty_finding-types-iam.md
@@ -5 +5 @@
-CredentialAccess:IAMUser/AnomalousBehaviorDefenseEvasion:IAMUser/AnomalousBehaviorDefenseEvasion:IAMUser/BedrockLoggingDisabledDiscovery:IAMUser/AnomalousBehaviorExfiltration:IAMUser/AnomalousBehaviorImpact:IAMUser/AnomalousBehaviorInitialAccess:IAMUser/AnomalousBehaviorPenTest:IAMUser/KaliLinuxPenTest:IAMUser/ParrotLinuxPenTest:IAMUser/PentooLinuxPersistence:IAMUser/AnomalousBehaviorPolicy:IAMUser/RootCredentialUsagePolicy:IAMUser/ShortTermRootCredentialUsagePrivilegeEscalation:IAMUser/AnomalousBehaviorRecon:IAMUser/MaliciousIPCallerRecon:IAMUser/MaliciousIPCaller.CustomRecon:IAMUser/TorIPCallerStealth:IAMUser/CloudTrailLoggingDisabledStealth:IAMUser/PasswordPolicyChangeUnauthorizedAccess:IAMUser/ConsoleLoginSuccess.BUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWSUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWSUnauthorizedAccess:IAMUser/MaliciousIPCallerUnauthorizedAccess:IAMUser/MaliciousIPCaller.CustomUnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWSUnauthorizedAccess:IAMUser/TorIPCaller
+CredentialAccess:IAMUser/AnomalousBehaviorCredentialAccess:IAMUser/CompromisedCredentialsDefenseEvasion:IAMUser/AnomalousBehaviorDefenseEvasion:IAMUser/BedrockLoggingDisabledDiscovery:IAMUser/AnomalousBehaviorExfiltration:IAMUser/AnomalousBehaviorImpact:IAMUser/AnomalousBehaviorInitialAccess:IAMUser/AnomalousBehaviorPenTest:IAMUser/KaliLinuxPenTest:IAMUser/ParrotLinuxPenTest:IAMUser/PentooLinuxPersistence:IAMUser/AnomalousBehaviorPolicy:IAMUser/RootCredentialUsagePolicy:IAMUser/ShortTermRootCredentialUsagePrivilegeEscalation:IAMUser/AnomalousBehaviorRecon:IAMUser/MaliciousIPCallerRecon:IAMUser/MaliciousIPCaller.CustomRecon:IAMUser/TorIPCallerStealth:IAMUser/CloudTrailLoggingDisabledStealth:IAMUser/PasswordPolicyChangeUnauthorizedAccess:IAMUser/ConsoleLoginSuccess.BUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWSUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWSUnauthorizedAccess:IAMUser/MaliciousIPCallerUnauthorizedAccess:IAMUser/MaliciousIPCaller.CustomUnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWSUnauthorizedAccess:IAMUser/TorIPCaller
@@ -18,0 +19,2 @@ For all IAM-related findings, we recommend that you examine the entity in questi
+  * CredentialAccess:IAMUser/CompromisedCredentials
+
@@ -90,0 +93,21 @@ If this activity is unexpected, your credentials may be compromised. For more in
+## CredentialAccess:IAMUser/CompromisedCredentials
+
+### An IAM access key was identified as potentially compromised by Amazon threat intelligence.
+
+**Default severity: High**
+
+  * **Feature:** Included with Foundational Data Source Protection
+
+
+
+
+**Full description:**
+
+This finding informs you that an IAM access key associated with your AWS account has been identified as potentially compromised by Amazon threat intelligence. The compromised credential was then used to invoke API operations in your AWS environment. The list of API calls made using the compromised credential, along with the count and timestamps of each call, the access key involved, and the source IP address are included in the finding details.
+
+The credential compromise in this finding is identified by Amazon threat intelligence. AWS monitors potentially compromised credentials through usage patterns and generates this finding when such a credential is observed being used.
+
+**Remediation recommendations:**
+
+If this activity is unexpected, your credentials may be compromised. For more information, see [Remediating potentially compromised AWS credentials](./compromised-creds.html).
+