How to respond to the GuardDuty Detection UnauthorizedAccess EC2 TorClient

AWS Guard Duty has detected that your instance is running TorClient. Tor is a software that allows users to browse the internet anonymously. While Tor can be used for legitimate purposes, it can also be used for malicious activities.

You can get a playbook on how to respond to security incidents in Cloud and Container environments here.

AWS identifies these connections by comparing the source/destination IP to the public list of Tor nodes.

If you are using Tor for legitimate purposes, you can continue to use your instance as normal. However, if you are using Tor for malicious activities, you should stop using your instance and take action to secure your environment.

If you are not sure why your instance was flagged, you can submit a ticket to the AWS Guard Duty team for further investigation.