AWS EBS Snapshot possible exfiltration
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect the possible exfiltration of an EBS snapshot.
Strategy
This rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:
An attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared publicly or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.
Triage and response
- Determine if
{{@userIdentity.arn}}
should have made the API calls. - If the API call was not made by the user:
- Rotate user credentials.
- Determine what other API calls were made by the user.
- Remove any snapshot attributes generated by the user with the
aws-cli
command modify-snapshot-attribute
. - Begin your organization’s incident response process and investigate.
- If the API calls were made by the user:
- Determine if the user should be performing these API calls.
- If No, see if other API calls were made by the user and determine if they warrant further investigation.
Changelog
10 October 2022 - Updated query and severity.