EC2 Snapshot Exfiltration via External Account Sharing
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects external principal additions to EC2 snapshot permissions. Can generate false positives - add exceptions for backup services, automation, and approved cross-account access.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "AWS EC2 Snapshot Activity" AND (REQUESTPARAMETERS contains "add")
select Action1.CALLER,Action1.HOSTNAME,Action1.IPADDRESS,Action1.LOG_EVENT_NAME,Action1.SOURCE,Action1.SOURCE_REGION,Action1.REQUESTPARAMETERS
Detection
Execution Mode
realtime
Log Sources
AWS


