AWS AMI Attribute Modification for Data Exfiltration
An attacker modifies AWS AMI attributes, potentially sharing an AMI with another AWS account or making it publicly accessible, to exfiltrate sensitive data stored in AWS resources.
An attacker leverages compromised AWS credentials or exploits a misconfigured IAM role to modify Amazon Machine Image (AMI) attributes. This modification can involve sharing the AMI with an external AWS account or making it publicly accessible. The primary goal is to exfiltrate sensitive data stored within the AMI, such as proprietary code, customer data, or internal configurations. This activity is particularly concerning due to the potential for unauthorized access to critical resources and subsequent data breaches. The technique abuses legitimate AWS functionality, making it harder to detect without specific monitoring in place. The sharing of AMI's is a common tactic to enable data exfiltration by threat actors.
Attack Chain
- Initial Compromise: The attacker gains access to an AWS account through compromised credentials, exploiting a vulnerability in a web application, or leveraging a misconfigured IAM role.
- Enumeration: The attacker enumerates available AMIs within the AWS environment to identify those containing sensitive data.
- Privilege Escalation (If Needed): If the initial access doesn't have sufficient privileges, the attacker attempts to escalate privileges to gain the ability to modify AMI attributes.
- AMI Attribute Modification: The attacker uses the
ModifyImageAttributeAPI call to modify the AMI's launch permissions. This involves adding external AWS accounts or setting the group to "all", making the AMI public. - Data Exfiltration: The attacker or a collaborator in the external AWS account copies the now-shared AMI to their own environment.
- Data Extraction: The attacker launches an EC2 instance from the copied AMI and extracts the sensitive data stored within it.
- Cleanup (Optional): The attacker may attempt to remove CloudTrail logs or other evidence of their activity to hinder detection.
- Lateral Movement or Further Attacks: The attacker uses the exfiltrated data for further attacks, such as lateral movement within the organization's network or direct extortion.
Impact
A successful AMI attribute modification and exfiltration can lead to significant data breaches, exposing sensitive customer data, proprietary code, or internal configurations. This can result in financial losses, reputational damage, legal liabilities, and regulatory fines. The scope of the impact depends on the sensitivity and volume of data stored within the compromised AMIs. This technique directly targets data confidentiality and integrity, potentially affecting thousands or millions of users if customer data is involved.
Recommendation
- Enable and monitor AWS CloudTrail logs for
ModifyImageAttributeAPI calls (AWS CloudTrail ModifyImageAttribute Data Source). - Deploy the provided Sigma rule to detect suspicious AMI attribute modifications in your SIEM (Sigma Rule: "Detect Publicly Shared AWS AMI").
- Implement strict IAM policies to limit the ability to modify AMI attributes to only authorized personnel (Reference: https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/).
- Regularly review AMI launch permissions to identify any publicly shared or externally shared AMIs (Reference: https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/).
- Configure AWS Config rules to automatically detect and remediate publicly shared AMIs (Reference: https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/).
- Alert on users who are modifying AMI attributes and do not typically perform that action.
Detection coverage 2
Detect Publicly Shared AWS AMI
highDetects when an AWS AMI is made publicly accessible by modifying its launch permissions to include 'all'.
Detect Externally Shared AWS AMI
mediumDetects when an AWS AMI is shared with another AWS account by modifying its launch permissions.
Detection queries are available on the platform. Get full rules →