AWS EC2 EBS Snapshot Shared with Another Account

  1[metadata]
  2creation_date = "2024/04/16"
  3integration = ["aws"]
  4maturity = "production"
  5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
  6min_stack_version = "8.13.0"
  7updated_date = "2024/10/02"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies AWS EC2 EBS snaphots being shared with another AWS account. EBS virtual disks can be copied into snapshots,
 13which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the
 14snapshot into an environment they control, to access the data.
 15"""
 16false_positives = [
 17    """
 18    AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.
 19    """,
 20]
 21from = "now-9m"
 22language = "esql"
 23license = "Elastic License v2"
 24name = "AWS EC2 EBS Snapshot Shared with Another Account"
 25note = """
 26
 27## Triage and Analysis
 28
 29### Investigating AWS EC2 EBS Snapshot Shared with Another Account
 30
 31This rule detects when an AWS EC2 EBS snapshot is shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this to copy the snapshot into an environment they control to access the data. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.
 32
 33#### Possible Investigation Steps:
 34
 35- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
 36- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the snapshot permissions. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
 37- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
 38- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.
 39- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
 40
 41### False Positive Analysis:
 42
 43- **Legitimate Administrative Actions**: Confirm if the snapshot sharing aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.
 44- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
 45- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.
 46
 47### Response and Remediation:
 48
 49- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.
 50- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
 51- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning snapshot management and sharing permissions.
 52- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.
 53- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
 54
 55### Additional Information:
 56
 57For further guidance on managing EBS snapshots and securing AWS environments, refer to the [AWS EBS documentation](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html) and AWS best practices for security. Additionally, consult the following resources for specific details on EBS snapshot security:
 58- [AWS EBS Snapshot Permissions](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html)
 59- [AWS API ModifySnapshotAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html)
 60- [AWS EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump)
 61"""
 62references = [
 63    "https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html",
 64    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html",
 65    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump",
 66]
 67risk_score = 21
 68rule_id = "4182e486-fc61-11ee-a05d-f661ea17fbce"
 69severity = "low"
 70tags = [
 71    "Domain: Cloud",
 72    "Data Source: AWS",
 73    "Data Source: Amazon Web Services",
 74    "Data Source: AWS EC2",
 75    "Use Case: Threat Detection",
 76    "Tactic: Exfiltration",
 77]
 78timestamp_override = "event.ingested"
 79type = "esql"
 80
 81query = '''
 82from logs-aws.cloudtrail-* metadata _id, _version, _index
 83| where event.provider == "ec2.amazonaws.com" and event.action == "ModifySnapshotAttribute" and event.outcome == "success"
 84| dissect aws.cloudtrail.request_parameters "{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}"
 85| where operationType == "add" and cloud.account.id != userId
 86| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId
 87'''
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1537"
 94name = "Transfer Data to Cloud Account"
 95reference = "https://attack.mitre.org/techniques/T1537/"
 96
 97
 98[rule.threat.tactic]
 99id = "TA0010"
100name = "Exfiltration"
101reference = "https://attack.mitre.org/tactics/TA0010/"