Hello everyone! I’ve been working on setting up CloudQuery on my AWS instance. However, upon starting CloudQuery, I encountered an AWS Guard Duty finding indicating Unauthorized Access: IAMUser/InstanceCredentialExfiltration.InsideAWS.
Credentials created exclusively for an EC2 instance using instance role cloudquery-ec2-role have been used from a remote AWS account 582xxxxxxxx16.
Is this expected behavior? And is there a solution to rectify this issue?
Hey 
, can you please post the configuration and the CLI version?
aws.yml
kind: source
spec:
name: aws
path: cloudquery/aws
version: v22.13.2 # https://www.cloudquery.io/docs/plugins/sources/aws/overview
tables: ["*"]
skip_tables:
- aws_stepfunctions_map_runs
destinations: ["postgresql"]
spec:
regions:
- ap-south-1
- us-east-1
- ap-south-2
aws_debug: false
postgres.yml
kind: destination
spec:
name: postgresql
path: cloudquery/postgresql
version: v6.0.7
write_mode: overwrite-delete-stale
spec:
connection_string: ${PG_CONNECTION_STRING}
Can you try running AWS with v24.1.0 version and see if you get the same GuardDuty alert?
At the same time that you update your AWS plugin to v24.1.0, you should also update your PostgreSQL destination plugin to v7.3.1 to ensure a smooth migration.