LoFP LoFP / ami sharing is a common practice in aws environments. ensure that the sharing is authorized before taking action.

Sample rules

AWS EC2 EBS Snapshot Shared or Made Public

Description

Identifies AWS EC2 EBS snaphots being shared with another AWS account or made public. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data.

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index
| where
  event.provider == "ec2.amazonaws.com"
  and event.action == "ModifySnapshotAttribute"
  and event.outcome == "success"

// Extract snapshotId, attribute type, operation type, and userId
| dissect aws.cloudtrail.request_parameters
  "{%{?snapshotId}=%{Esql.aws_cloudtrail_request_parameters_snapshot_id},%{?attributeType}=%{Esql.aws_cloudtrail_request_parameters_attribute_type},%{?createVolumePermission}={%{Esql.aws_cloudtrail_request_parameters_operation_type}={%{?items}=[{%{?userId}=%{Esql_priv.aws_cloudtrail_request_parameters_user_id}}]}}}"

// Check for snapshot permission added for another AWS account
| where
  Esql.aws_cloudtrail_request_parameters_operation_type == "add"
  and cloud.account.id != Esql_priv.aws_cloudtrail_request_parameters_user_id

// keep ECS and derived fields
| keep
  @timestamp,
  aws.cloudtrail.user_identity.arn,
  cloud.account.id,
  event.action,
  Esql.aws_cloudtrail_request_parameters_snapshot_id,
  Esql.aws_cloudtrail_request_parameters_attribute_type,
  Esql.aws_cloudtrail_request_parameters_operation_type,
  Esql_priv.aws_cloudtrail_request_parameters_user_id,
  source.ip

AWS EC2 AMI Shared with Another Account

Description

Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.

Detection logic

event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
    and event.action: ModifyImageAttribute and event.outcome: success
    and aws.cloudtrail.request_parameters: *add=*
    and not aws.cloudtrail.user_identity.invoked_by: "assets.marketplace.amazonaws.com"