Elastic Security Detection Rules

AWS EC2 AMI Shared with Another Account

Last updated a month ago on 2025-07-16
Created a year ago on 2024-04-16

About

Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS EC2Use Case: Threat DetectionTactic: ExfiltrationLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Exfiltration (TA0010)(opens in a new tab or window)

Transfer Data to Cloud Account (T1537)(opens in a new tab or window)

False Positive Examples
AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action. AWS Marketplace subscriptions automatically result in assets.marketplace.amazonaws.com invoking ModifyImageAttribute to share the AMI with your account. This rule excludes Marketplace-invoked sharing by design. Other AWS services like workspaces.amazonaws.com and backup.amazonaws.com may invoke this action when users configure sharing through WorkSpaces or Backup plans. Review such service-invoked events to confirm they match legitimate and intended sharing configurations.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(opens in a new tab or window)

Query
event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
    and event.action: ModifyImageAttribute and event.outcome: success
    and aws.cloudtrail.request_parameters: *add=*
    and not aws.cloudtrail.user_identity.invoked_by: "assets.marketplace.amazonaws.com"

Install detection rules in Elastic Security

Detect AWS EC2 AMI Shared with Another Account in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).