LoFP / valid change to a snapshot's permissions

Techniques

• t1537

Sample rules

AWS Snapshot Backup Exfiltration

• source: sigma
• technicques:
  • t1537

Description

Detects the modification of an EC2 snapshot’s permissions to enable access from another account

Detection logic

condition: selection_source
selection_source:
  eventName: ModifySnapshotAttribute
  eventSource: ec2.amazonaws.com