Stealing an EBS snapshot by creating a snapshot and sharing it







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




An attacker who wants to access EBS volume data can create a snapshot of the volume, then share the snapshot outside of your AWS account.

Understanding Impact

Business Impact

EBS virtual disks can be copied into snapshots, which can then be copied outside of your organization. As disks typically contain sensitive data, this can lead to uncontrolled data leaks.

Technical Impact

An attacker can share an EBS snapshot with their AWS account, or make it publicly accessible. After doing so, they would typically copy the snapshot in an environment they control to access the data.


You can identify when a snapshot of an EBS volume is taken using the CloudTrail event CreateSnapshot.

Then, you can identify when an EBS snapshot is shared (publicly or with another AWS account) using the event ModifySnapshotAttribute. Below is an example of what the requestParameters attribute looks like when an EBS snapshot is shared with an external AWS account:

"requestParameters": {
"snapshotId": "snap-1234",
"createVolumePermission": {
  "add": {
    "items": [{ "userId": "0123456789012" }]

If you enabled "Block public access for EBS snapshots", an attacker attempting to share a snapshot publicly will result in an error of type Client.OperationNotPermitted, which can also be valuable for detection.

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate aws.exfiltration.ec2-share-ebs-snapshot

See also the related documentation.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:


Stratus Red Team - Exfiltrate EBS Snapshot by Sharing It

M-Trends 2020 Case Study

DNC Hack by the GRU (p. 43)

Detecting exfiltration of EBS snapshots

Loot public EBS snapshots

Modifying EBS snapshot permissions

aws documentation

Did you find this article helpful?

Related Vulnerabilities and Threats