AWS EC2 EBS Snapshot Shared with Another Account

Last updated 2 months ago on 2024-10-02

Created 7 months ago on 2024-04-16

About

Identifies AWS EC2 EBS snaphots being shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS EC2Use Case: Threat DetectionTactic: Exfiltration

Severity

low

Risk Score

MITRE ATT&CK™

Exfiltration (TA0010)(opens in a new tab or window)

↳ Transfer Data to Cloud Account (T1537)(opens in a new tab or window)

False Positive Examples

AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.

License

Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: aws(opens in a new tab or window)
Query

from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "ec2.amazonaws.com" and event.action == "ModifySnapshotAttribute" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}"
| where operationType == "add" and cloud.account.id != userId
| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId

Install detection rules in Elastic Security

Detect AWS EC2 EBS Snapshot Shared with Another Account in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).