---
title: Amazon EC2 AMI exfiltration attempt by IAM user
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Amazon EC2 AMI exfiltration attempt by
  IAM user
---

# Amazon EC2 AMI exfiltration attempt by IAM user
Classification:attackTactic:[TA0010-exfiltration](https://attack.mitre.org/tactics/TA0010)Technique:[T1537-transfer-data-to-cloud-account](https://attack.mitre.org/techniques/T1537) 
## Goal{% #goal %}

Detect a user attempting to exfiltrate an Amazon EC2 AMI Snapshot.

## Strategy{% #strategy %}

This rule lets you monitor the [ModifyImageAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyImageAttribute.html) CloudTrail API calls to detect when an Amazon EC2 AMI snapshot is made public or shared with an AWS account.

This rule also inspects:

- `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.
- `@requestParameters.launchPermission.add.items.userId` array to determine if the string `*` is contained. This is the indicator which means the RDS snapshot was shared with a new or unknown AWS account.

## Triage and response{% #triage-and-response %}

1. Confirm if the user: `{{@userIdentity.arn}}` intended to make the RDS snaphsot public.
1. If the user did not make the API call:
   - Rotate the credentials.
   - Investigate if the same credentials made other unauthorized API calls.