If you ever come across a findings as shown below in your Security Hub console with random EC2 instance i-99999999, read on.
<p>EC2 instance i-99999999 is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using TCP protocol.</p>
<p>EC2 instance i-99999999 is communicating with Tor Entry node.</p>
<p>EC2 instance i-99999999 may be the target of a DNS rebinding attack.</p>
<p>Data exfiltration through DNS queries from EC2 instance i-99999999</p>
<p>Drop Point domain name queried by EC2 instance i-99999999.</p>
This is how Security Hub shows the sample findings which could be misleading if you are not aware of Guard Duty sample findings that are generated from your account. the instance id EC2 instance i-99999999 doesn’t really exist.
These are the Sample findings that AWS generates to help us visualize and understand the various finding types that GuardDuty can generate.
If you look at Guard Duty findings from Guard Duty console it is clear that these are sample findings
However the confusion comes when you consolidate all AWS security services such as Guard Duty, Macie , Etc into Security Hub then the sample flag disappears and you might be wondering what this instance is.
Solution : As recommended by AWS achieve these findings in Security Hub console.
Learn how to configure Guard Duty in a multi account environment