AWS EBS Snapshot possible exfiltration

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.


Detect the possible exfiltration of an EBS snapshot.


This rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:

An attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared publicly or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.

Triage and response

  1. Determine if {{@userIdentity.arn}} should have made the API calls.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Remove any snapshot attributes generated by the user with the aws-cli command modify-snapshot-attribute.
  • Begin your organization’s incident response process and investigate.
  1. If the API calls were made by the user:
  • Determine if the user should be performing these API calls.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.


10 October 2022 - Updated query and severity.