AWS EC2 EBS Snapshot Shared or Made Public
An AWS Elastic Block Store (EBS) snapshot is shared with another AWS account or made public, potentially leading to data exfiltration and persistence operations.
This rule detects when an Amazon Elastic Block Store (EBS) snapshot is shared with another AWS account or made public. EBS snapshots contain copies of data volumes that may include sensitive or regulated information. Adversaries may exploit ModifySnapshotAttribute to share snapshots with external accounts or the public, allowing them to copy and access data in an environment they control. Public sharing (group=all) represents a severe data exposure risk, as it makes the snapshot globally readable. This activity often precedes data exfiltration or persistence operations, where the attacker transfers stolen data out of the victim account or prepares a staging area for further exploitation. The original detection rule was published on 2024/04/16 and updated on 2026/04/10.
Attack Chain
- An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or an exploited vulnerability.
- The attacker identifies EBS snapshots containing sensitive data.
- The attacker uses the
ModifySnapshotAttributeAPI to modify the snapshot's permissions, adding an external AWS account or making it publicly accessible (group=all). - The attacker may also disable EBS encryption to facilitate easier access to the data.
- The external AWS account copies the shared snapshot using
CopySnapshot. - The copied snapshot is then mounted as a volume on an EC2 instance within the attacker's AWS account.
- The attacker accesses and exfiltrates the sensitive data from the mounted volume.
- The attacker may then cover their tracks by deleting the copied snapshot and associated resources in their account.
Impact
Compromise of EBS snapshots can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial records, and proprietary business data. A successful attack could result in regulatory fines, reputational damage, and financial losses. Sharing snapshots publicly can expose data to a wide range of malicious actors, increasing the risk of unauthorized access and misuse. The number of affected snapshots and the sensitivity of the contained data determine the magnitude of the impact.
Recommendation
- Deploy the Sigma rule "AWS EC2 EBS Snapshot Shared or Made Public" to your SIEM and tune for your environment, focusing on
ModifySnapshotAttributeevents (see rules section). - Review
aws.cloudtrail.user_identity.arnandaws.cloudtrail.user_identity.access_key_idto identify who modified the snapshot’s permissions. Evaluate whether this identity is authorized to share EBS snapshots, as described in the overview section. - Restrict
ec2:ModifySnapshotAttributepermissions to trusted administrative roles only and enforce multi-factor authentication (MFA) for these accounts, as described in the overview section. - Enable AWS Config rules such as
ebs-snapshot-public-restorable-checkto continuously monitor for public EBS snapshots, as described in the overview section.
Detection coverage 2
AWS EC2 EBS Snapshot Shared or Made Public
mediumDetects when an Amazon Elastic Block Store (EBS) snapshot is shared with another AWS account or made public.
AWS EC2 EBS Snapshot Publicly Shared
highDetects when an Amazon Elastic Block Store (EBS) snapshot is made publicly accessible.
Detection queries are available on the platform. Get full rules →