Skip to content
Threat Feed
high advisory

AWS AMI Attribute Modification for Data Exfiltration

An attacker modifies AWS AMI attributes, potentially sharing an AMI with another AWS account or making it publicly accessible, to exfiltrate sensitive data stored in AWS resources.

An attacker leverages compromised AWS credentials or exploits a misconfigured IAM role to modify Amazon Machine Image (AMI) attributes. This modification can involve sharing the AMI with an external AWS account or making it publicly accessible. The primary goal is to exfiltrate sensitive data stored within the AMI, such as proprietary code, customer data, or internal configurations. This activity is particularly concerning due to the potential for unauthorized access to critical resources and subsequent data breaches. The technique abuses legitimate AWS functionality, making it harder to detect without specific monitoring in place. The sharing of AMI's is a common tactic to enable data exfiltration by threat actors.

Attack Chain

  1. Initial Compromise: The attacker gains access to an AWS account through compromised credentials, exploiting a vulnerability in a web application, or leveraging a misconfigured IAM role.
  2. Enumeration: The attacker enumerates available AMIs within the AWS environment to identify those containing sensitive data.
  3. Privilege Escalation (If Needed): If the initial access doesn't have sufficient privileges, the attacker attempts to escalate privileges to gain the ability to modify AMI attributes.
  4. AMI Attribute Modification: The attacker uses the ModifyImageAttribute API call to modify the AMI's launch permissions. This involves adding external AWS accounts or setting the group to "all", making the AMI public.
  5. Data Exfiltration: The attacker or a collaborator in the external AWS account copies the now-shared AMI to their own environment.
  6. Data Extraction: The attacker launches an EC2 instance from the copied AMI and extracts the sensitive data stored within it.
  7. Cleanup (Optional): The attacker may attempt to remove CloudTrail logs or other evidence of their activity to hinder detection.
  8. Lateral Movement or Further Attacks: The attacker uses the exfiltrated data for further attacks, such as lateral movement within the organization's network or direct extortion.

Impact

A successful AMI attribute modification and exfiltration can lead to significant data breaches, exposing sensitive customer data, proprietary code, or internal configurations. This can result in financial losses, reputational damage, legal liabilities, and regulatory fines. The scope of the impact depends on the sensitivity and volume of data stored within the compromised AMIs. This technique directly targets data confidentiality and integrity, potentially affecting thousands or millions of users if customer data is involved.

Recommendation

Detection coverage 2

Detect Publicly Shared AWS AMI

high

Detects when an AWS AMI is made publicly accessible by modifying its launch permissions to include 'all'.

sigma tactics: collection techniques: T1537 sources: cloudtrail, aws

Detect Externally Shared AWS AMI

medium

Detects when an AWS AMI is shared with another AWS account by modifying its launch permissions.

sigma tactics: collection techniques: T1537 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →