iam users may occasionally share ec2 snapshots with another aws account belonging to the same organization. if known behavior is causing false positives, it can be exempted from the rule.

t1537
aws
elastic

Techniques

T1537

Sample rules

AWS EC2 Snapshot Activity

source: elastic
technicques:
- T1537

Description

An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute