--- title: AWS EBS Snapshot possible exfiltration description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Datadog Security > OOTB Rules > AWS EBS Snapshot possible exfiltration --- # AWS EBS Snapshot possible exfiltration Classification:attackTactic:[TA0010-exfiltration](https://attack.mitre.org/tactics/TA0010)Technique:[T1537-transfer-data-to-cloud-account](https://attack.mitre.org/techniques/T1537) ## Goal{% #goal %} Detect the possible exfiltration of an EBS snapshot. ## Strategy{% #strategy %} This rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window: - [`CreateSnapshot`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html) - [`ModifySnapshotAttribute`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html) An attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared [publicly](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-ebs-snapshot-made-public/) or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis. ## Triage and response{% #triage-and-response %} 1. Determine if `{{@userIdentity.arn}}` should have made the API calls. 1. If the API call was not made by the user: - Rotate user credentials. - Determine what other API calls were made by the user. - Remove any snapshot attributes generated by the user with the `aws-cli` command [`modify-snapshot-attribute`](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html). - Begin your organization's incident response process and investigate. If the API calls were made by the user: - Determine if the user should be performing these API calls. - If **No**, see if other API calls were made by the user and determine if they warrant further investigation. ## Changelog{% #changelog %} 10 October 2022 - Updated query and severity.