Triggers
- An AWS control-plane API was invoked which modified the launch permissions of an Amazon Machine Image (AMI) granting either an unknown, external account or the public the ability to launch an EC2 instance from the image.
Possible Root Causes
- An attacker may be exfiltrating data contained in the Amazon Machine Image (AMI) by sharing it externally and launching an instance from the stolen template.
- An authorized administrator may be performing a backup, disaster recovery activities or sharing the image in order to coordinate troubleshooting efforts.
Business Impact
- Exfiltration of Amazon Machine Images (AMI) by an attacker may expose details that support further attack progression. An impacted organization may incur data loss, impacting the confidentiality of sensitive information contained in the impacted Amazon Machine Images (AMIs).
Steps to Verify
- Investigate the Principal that performed the actions for other signs of malicious activity.
- Investigate the affected AMI for potential data loss.
- Validate that any modifications to AMI launch permissions are authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration:
- Revert any configuration changes.
- Disable credentials associated with this alert.
- Perform a comprehensive investigation to determine initial compromise and scope of impacted resources.