AWS EC2 EBS Snapshot Access Removed

Identifies the removal of access permissions from a shared AWS EC2 EBS snapshot. EBS snapshots are essential for data retention and disaster recovery. Adversaries may revoke or modify snapshot permissions to prevent legitimate users from accessing backups, thereby obstructing recovery efforts after data loss or destructive actions. This tactic can also be used to evade detection or maintain exclusive access to critical backups, ultimately increasing the impact of an attack and complicating incident response.

Rule type: esql
Rule indices:

Rule Severity: low
Risk Score: 21
Runs every: 5m
Searches indices from: now-6m
Maximum alerts per execution: ?
References:

• https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html
• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html

Tags:

• Domain: Cloud
• Data Source: AWS
• Data Source: Amazon Web Services
• Data Source: AWS EC2
• Use Case: Threat Detection
• Tactic: Impact
• Resources: Investigation Guide

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

This rule detects when access is removed for an AWS EC2 EBS snapshot. EBS virtual disks can be copied into snapshots, which can then be used as backups for recovery and data retention efforts. Adversaries may attempt to remove access to snapshots in order to prevent legitimate users or automated processes from accessing or restoring from snapshots following data loss, ransomware, or destructive actions. This can significantly delay or even prevent recovery, increasing the impact of the attack. Restricting snapshot access may help adversaries cover their tracks by making it harder for defenders to analyze or recover deleted or altered data. Attackers may remove permissions for all users except their own compromised account, allowing them to maintain exclusive access to backups for future use or leverage. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.

• Identify the Actor: Review the aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id fields to identify who made the change. Verify if this actor typically performs such actions and if they should have the necessary permissions.
• Review the Request Details: Examine the aws.cloudtrail.request_parameters to understand the specific changes made to the snapshot permissions. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
• Analyze the Source of the Request: Investigate the source.ip and source.geo fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
• Contextualize with Timestamp: Use the @timestamp field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.
• Correlate with Other Activities: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities. In particular, use the snapshotId to see if this snapshot was shared with an unauthorized account.
• Review UserID: Check the userId field to identify which user's permissions were removed. Verify if this account should be authorized to access the data or if the access removal is expected.

• Legitimate Administrative Actions: Confirm if the snapshot sharing aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.
• Consistency Check: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.

• Immediate Review and Reversal if Necessary: If the change was unauthorized, update the snapshot permissions to restore it to its previous state.
• Enhance Monitoring and Alerts: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
• Educate and Train: Provide additional training to users with administrative rights on the importance of security best practices concerning snapshot management and sharing permissions.
• Audit Snapshots and Policies: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.
• Incident Response: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.

For further guidance on managing EBS snapshots and securing AWS environments, refer to the AWS EBS documentation and AWS best practices for security. Additionally, consult the following resources for specific details on EBS snapshot security:

• AWS EBS Snapshot Permissions
• AWS API ModifySnapshotAttribute

from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "ec2.amazonaws.com" and event.action == "ModifySnapshotAttribute" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}"
| where operationType == "remove"
| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId, source.address

Framework: MITRE ATT&CK

• Tactic:

  • Name: Impact
  • Id: TA0040
  • Reference URL: https://attack.mitre.org/tactics/TA0040/

• Technique:

  • Name: Inhibit System Recovery
  • Id: T1490
  • Reference URL: https://attack.mitre.org/techniques/T1490/

• Technique:

  • Name: Data Destruction
  • Id: T1485
  • Reference URL: https://attack.mitre.org/techniques/T1485/