EC2 AMI Shared with Another Account
Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/04/16"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an
11AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code
12artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made
13publicly available accidentally as well.
14"""
15false_positives = [
16 """
17 AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.
18 """,
19]
20from = "now-60m"
21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22interval = "10m"
23language = "kuery"
24license = "Elastic License v2"
25name = "EC2 AMI Shared with Another Account"
26note = """
27## Triage and Analysis
28
29### Investigating EC2 AMI Shared with Another Account
30
31This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control.
32
33#### Possible Investigation Steps
34
35- **Review the Sharing Event**: Identify the AMI involved and review the event details in AWS CloudTrail. Look for `ModifyImageAttribute` actions where the AMI attributes were changed to include additional user accounts.
36 - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.response.response_elements` fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared.
37- **Verify the Shared AMI**: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it.
38- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
39- **Validate External Account**: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources.
40- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments.
41- **Audit Related Security Policies**: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing.
42
43### False Positive Analysis
44
45- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating.
46- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior.
47
48### Response and Remediation
49
50- **Review and Revoke Unauthorized Shares**: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI.
51- **Enhance Monitoring of Shared AMIs**: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns.
52- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
53- **Policy Update**: Review and possibly update your organization’s policies on AMI sharing to tighten control and prevent unauthorized access.
54- **Educate Users**: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing.
55
56### Additional Information
57
58For more information on managing and sharing AMIs, refer to the [Amazon EC2 User Guide on AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) and [Sharing AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html). Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team [here](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/).
59
60"""
61references = [
62 "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html",
63 "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html",
64 "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/",
65]
66risk_score = 47
67rule_id = "6a309864-fc3f-11ee-b8cc-f661ea17fbce"
68severity = "medium"
69tags = [
70 "Domain: Cloud",
71 "Data Source: AWS",
72 "Data Source: Amazon Web Services",
73 "Data Source: AWS EC2",
74 "Use Case: Threat Detection",
75 "Tactic: Exfiltration",
76]
77timestamp_override = "event.ingested"
78type = "query"
79
80query = '''
81event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
82 and event.action: ModifyImageAttribute and event.outcome: success
83 and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*)
84'''
85
86
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89[[rule.threat.technique]]
90id = "T1537"
91name = "Transfer Data to Cloud Account"
92reference = "https://attack.mitre.org/techniques/T1537/"
93
94
95[rule.threat.tactic]
96id = "TA0010"
97name = "Exfiltration"
98reference = "https://attack.mitre.org/tactics/TA0010/"
Triage and Analysis
Investigating EC2 AMI Shared with Another Account
This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control.
Possible Investigation Steps
- Review the Sharing Event: Identify the AMI involved and review the event details in AWS CloudTrail. Look for
ModifyImageAttribute
actions where the AMI attributes were changed to include additional user accounts.- Request and Response Parameters: Check the
aws.cloudtrail.request_parameters
andaws.response.response_elements
fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared.
- Request and Response Parameters: Check the
- Verify the Shared AMI: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it.
- Contextualize with Recent Changes: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
- Validate External Account: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources.
- Interview Relevant Personnel: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments.
- Audit Related Security Policies: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing.
False Positive Analysis
- Legitimate Sharing Practices: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating.
- Automation Tools: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior.
Response and Remediation
- Review and Revoke Unauthorized Shares: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI.
- Enhance Monitoring of Shared AMIs: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns.
- Incident Response: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
- Policy Update: Review and possibly update your organization’s policies on AMI sharing to tighten control and prevent unauthorized access.
- Educate Users: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing.
Additional Information
For more information on managing and sharing AMIs, refer to the Amazon EC2 User Guide on AMIs and Sharing AMIs. Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team here.
References
Related rules
- AWS EC2 Encryption Disabled
- AWS EC2 Full Network Packet Capture Detected
- AWS EC2 Network Access Control List Creation
- AWS EC2 Snapshot Activity
- AWS EC2 VM Export Failure