EC2 Snapshot Data Leak via Public Permission Grant
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects EC2 snapshot permissions being set to public (all), exposing disk data to any AWS account.
Severity
Critical
Rule Requirement
Criteria
Action1:
actionname = "AWS EC2 Snapshot Activity" AND (REQUESTPARAMETERS contains "add" AND REQUESTPARAMETERS contains "all")
select Action1.CALLER,Action1.HOSTNAME,Action1.IPADDRESS,Action1.LOG_EVENT_NAME,Action1.SOURCE,Action1.SOURCE_REGION,Action1.REQUESTPARAMETERS
Detection
Execution Mode
realtime
Log Sources
AWS


