About
An attacker who wants to access EBS volume data can create a snapshot of the volume, then share the snapshot outside of your AWS account.
Understanding Impact
Business Impact
EBS virtual disks can be copied into snapshots, which can then be copied outside of your organization. As disks typically contain sensitive data, this can lead to uncontrolled data leaks.
Technical Impact
An attacker can share an EBS snapshot with their AWS account, or make it publicly accessible. After doing so, they would typically copy the snapshot in an environment they control to access the data.
Detection
You can identify when a snapshot of an EBS volume is taken using the CloudTrail event CreateSnapshot.
Then, you can identify when an EBS snapshot is shared (publicly or with another AWS account) using the event ModifySnapshotAttribute. Below is an example of what the requestParameters attribute looks like when an EBS snapshot is shared with an external AWS account:
"requestParameters": {
"snapshotId": "snap-1234",
"attributeType": "CREATE_VOLUME_PERMISSION",
"createVolumePermission": {
"add": {
"items": [{ "userId": "0123456789012" }]
}
}
If you enabled "Block public access for EBS snapshots", an attacker attempting to share a snapshot publicly will result in an error of type Client.OperationNotPermitted, which can also be valuable for detection.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.exfiltration.ec2-share-ebs-snapshotSee also the related documentation.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:
References
Stratus Red Team - Exfiltrate EBS Snapshot by Sharing It
stratus-red-team.cloud
M-Trends 2020 Case Study
mandiant.com
DNC Hack by the GRU (p. 43)
politico.com
Detecting exfiltration of EBS snapshots
twitter.com
Loot public EBS snapshots
hackingthe.cloud
Modifying EBS snapshot permissions
aws documentation