AWS EC2 EBS Snapshot Access Permissions Removed
Detection of AWS EC2 EBS snapshot access permissions removal can indicate malicious attempts to disrupt data recovery, evade detection, or maintain exclusive backup access, leading to increased attack impact and incident response complexity.
This detection identifies the removal of access permissions from shared AWS EC2 EBS snapshots using AWS CloudTrail logs. EBS snapshots are critical for data retention and disaster recovery. Threat actors may attempt to revoke or modify snapshot permissions to prevent legitimate users or processes from accessing backups, which hinders recovery efforts following data loss or destructive actions. This tactic can also be employed to evade detection or maintain exclusive access to sensitive backups, amplifying the impact of attacks and complicating incident response. This behavior matters because successful removal of access can significantly delay or prevent data recovery, leading to prolonged downtime and potential data loss. The rule focuses on identifying ModifySnapshotAttribute events where access is being removed, specifically looking for changes to CREATE_VOLUME_PERMISSION via remove=.
Attack Chain
- The attacker gains unauthorized access to an AWS account, possibly through compromised credentials or exploiting IAM misconfigurations.
- The attacker enumerates available EC2 EBS snapshots within the targeted AWS environment to identify potential targets for disruption.
- The attacker uses the
ModifySnapshotAttributeAPI call to remove access permissions from the identified EBS snapshots, specifically targeting theCREATE_VOLUME_PERMISSIONattribute. - The request parameters in the CloudTrail logs indicate the removal of access, observed through the presence of
"attributeType=CREATE_VOLUME_PERMISSION"and"remove=". - Legitimate users or automated processes attempting to restore data from the affected snapshots will fail, hindering recovery efforts.
- The attacker may repeat the process across multiple snapshots to maximize the impact and disrupt the entire recovery strategy.
- The attacker may also delete snapshots entirely using
DeleteSnapshotto ensure complete data loss. - The attacker achieves their objective of disrupting business operations, holding data for ransom, or covering tracks by preventing forensic analysis and recovery.
Impact
Successful removal of EBS snapshot access can have significant consequences. Organizations may face extended downtime, data loss, and reputational damage. Depending on the criticality of the affected systems, financial losses and regulatory penalties may also occur. The number of victims and sectors targeted can vary, but any organization relying on AWS for data storage and backup is potentially at risk. If the attack succeeds, the organization's ability to recover from data loss events like ransomware or accidental deletion is severely compromised, potentially leading to irreversible data loss.
Recommendation
- Deploy the Sigma rule
AWS EBS Snapshot Access Removalto detect unauthorized modification of snapshot access permissions in your AWS environment. Enable AWS CloudTrail logging and ensure logs are ingested to your SIEM (Security Information and Event Management) to enable the rule. - Review IAM policies and restrict
ec2:ModifySnapshotAttributepermissions to only trusted administrative roles as mentioned in the rule's investigation steps. - Enable AWS Config rules and Security Hub controls such as
ebs-snapshot-public-restorable-checkto provide continuous monitoring and compliance checks, as recommended in the rule's response section. - Implement backup immutability using AWS Backup Vault Lock or S3 Object Lock to protect against unauthorized modifications, as mentioned in the response section.
- Investigate any alerts generated by the Sigma rule, examining
aws.cloudtrail.user_identity.arnandsource.ipto identify the actor and source of the access removal, as indicated in the rule's triage section.
Detection coverage 2
AWS EBS Snapshot Access Removal
mediumDetects the removal of access permissions from AWS EC2 EBS snapshots via the ModifySnapshotAttribute API call.
AWS EBS Snapshot Delete Protection Removal
mediumDetects when delete protection is removed from an AWS EC2 EBS snapshot via the ModifySnapshotAttribute API call.
Detection queries are available on the platform. Get full rules →