<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Amazon EBS - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/amazon-ebs/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 May 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/amazon-ebs/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS EC2 EBS Snapshot Shared or Made Public</title><link>https://feed.craftedsignal.io/briefs/2024-05-aws-ebs-snapshot-shared/</link><pubDate>Fri, 10 May 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-aws-ebs-snapshot-shared/</guid><description>An AWS Elastic Block Store (EBS) snapshot is shared with another AWS account or made public, potentially leading to data exfiltration and persistence operations.</description><content:encoded><![CDATA[<p>This rule detects when an Amazon Elastic Block Store (EBS) snapshot is shared with another AWS account or made public. EBS snapshots contain copies of data volumes that may include sensitive or regulated information. Adversaries may exploit <code>ModifySnapshotAttribute</code> to share snapshots with external accounts or the public, allowing them to copy and access data in an environment they control. Public sharing (<code>group=all</code>) represents a severe data exposure risk, as it makes the snapshot globally readable. This activity often precedes data exfiltration or persistence operations, where the attacker transfers stolen data out of the victim account or prepares a staging area for further exploitation. The original detection rule was published on 2024/04/16 and updated on 2026/04/10.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or an exploited vulnerability.</li>
<li>The attacker identifies EBS snapshots containing sensitive data.</li>
<li>The attacker uses the <code>ModifySnapshotAttribute</code> API to modify the snapshot's permissions, adding an external AWS account or making it publicly accessible (<code>group=all</code>).</li>
<li>The attacker may also disable EBS encryption to facilitate easier access to the data.</li>
<li>The external AWS account copies the shared snapshot using <code>CopySnapshot</code>.</li>
<li>The copied snapshot is then mounted as a volume on an EC2 instance within the attacker's AWS account.</li>
<li>The attacker accesses and exfiltrates the sensitive data from the mounted volume.</li>
<li>The attacker may then cover their tracks by deleting the copied snapshot and associated resources in their account.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromise of EBS snapshots can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial records, and proprietary business data. A successful attack could result in regulatory fines, reputational damage, and financial losses. Sharing snapshots publicly can expose data to a wide range of malicious actors, increasing the risk of unauthorized access and misuse. The number of affected snapshots and the sensitivity of the contained data determine the magnitude of the impact.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS EC2 EBS Snapshot Shared or Made Public&quot; to your SIEM and tune for your environment, focusing on <code>ModifySnapshotAttribute</code> events (see rules section).</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> and <code>aws.cloudtrail.user_identity.access_key_id</code> to identify who modified the snapshot’s permissions. Evaluate whether this identity is authorized to share EBS snapshots, as described in the overview section.</li>
<li>Restrict <code>ec2:ModifySnapshotAttribute</code> permissions to trusted administrative roles only and enforce multi-factor authentication (MFA) for these accounts, as described in the overview section.</li>
<li>Enable AWS Config rules such as <code>ebs-snapshot-public-restorable-check</code> to continuously monitor for public EBS snapshots, as described in the overview section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>exfiltration</category></item></channel></rss>