AWS EBS Snapshot Made Public

cloudtrail

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1537-transfer-data-to-cloud-account

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when an EBS snapshot is made public.

Strategy

This rule lets you monitor these CloudTrail API calls to detect when an EBS snapshot is made public:

This rule inspects the @requestParameters.createVolumePermission.add.items.group array to determine if the string all is contained. This is the indicator which means the EBS snapshot is made public.

Triage and response

  1. Determine if the EBS snapshot should be made public.
  2. Determine which user, {{@@userIdentity.arn}}, in your organization made the EBS snapshot public.
  3. Contact the user to see if they intended to make the EBS snapshot public.
  4. If the user did not make the API call:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.
    • Revert AMI permissions to the original state.
    • Begin your company’s IR process and investigate.

Changelog

11 November 2022 - Added additional triage and response steps.

PREVIEWING: may/unit-testing