EC2 Snapshot Exfiltration via External Account Sharing

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects external principal additions to EC2 snapshot permissions. Can generate false positives - add exceptions for backup services, automation, and approved cross-account access.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "AWS EC2 Snapshot Activity" AND (REQUESTPARAMETERS contains "add") select Action1.CALLER,Action1.HOSTNAME,Action1.IPADDRESS,Action1.LOG_EVENT_NAME,Action1.SOURCE,Action1.SOURCE_REGION,Action1.REQUESTPARAMETERS

Detection

Execution Mode

realtime

Log Sources

AWS