AWS EC2 Snapshot Shared Externally
Detection of AWS EC2 snapshot shared publicly, indicating potential data exfiltration, by analyzing AWS CloudTrail events.
This analytic detects when an EC2 snapshot is shared publicly by analyzing AWS CloudTrail events. The detection method leverages CloudTrail logs ingested into Amazon Security Lake to identify modifications in snapshot permissions, specifically when the snapshot is shared outside the originating AWS account. This activity is significant as it may indicate an attempt to exfiltrate sensitive data stored in the snapshot. A threat actor could gain unauthorized access to the snapshot's data, potentially leading to data breaches or further exploitation of the compromised information. The rule focuses on ModifySnapshotAttribute events where the createVolumePermission.add.items{}.group is set to all, indicating public sharing.
Attack Chain
- An attacker gains initial access to an AWS account, potentially through compromised credentials or other means.
- The attacker enumerates existing EC2 snapshots within the AWS environment to identify potentially valuable data.
- The attacker modifies the snapshot's attributes using the
ModifySnapshotAttributeAPI call. - Within the API request, the attacker sets the
createVolumePermission.add.items{}.groupparameter toall, making the snapshot publicly accessible. - The CloudTrail logs record this
ModifySnapshotAttributeevent, capturing the details of the permission change. - The attacker, or any external party, can now create a volume from the publicly shared snapshot in their own AWS account.
- The attacker mounts the volume to an EC2 instance and accesses the data stored within the snapshot.
- The attacker exfiltrates sensitive data from the mounted volume, completing the objective of data theft.
Impact
A successful attack could lead to the exfiltration of sensitive data stored within the EC2 snapshot. The shared snapshot could be accessed by unauthorized individuals, leading to a data breach. This could result in financial losses, reputational damage, and legal liabilities. Depending on the data contained within the snapshot, the impact could range from exposure of proprietary business information to personally identifiable information (PII).
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect publicly shared EC2 snapshots based on
ModifySnapshotAttributeevents in Amazon Security Lake CloudTrail logs. - Investigate any alerts generated by the Sigma rule, focusing on the user (
actor.user.uid) and source IP address (src_endpoint.ip) associated with the event. - Review AWS IAM policies to ensure least privilege and restrict the ability to modify snapshot attributes.
- Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of compromised credentials.
Detection coverage 2
Detect AWS EC2 Snapshot Shared Externally
highDetects when an EC2 snapshot is shared publicly by analyzing AWS CloudTrail events.
Detect AWS EC2 Snapshot Modification by External Account
mediumDetects when an EC2 snapshot is modified by an external AWS account.
Detection queries are available on the platform. Get full rules →