AWS Suspect Public EBS Change

View all detections

Triggers

A credential was observed performing a set of AWS control plane API actions related to exfiltration EC2 snapshots.

Possible Root Causes

An attacker may be actively looking for privilege escalation opportunities
A security or IT service may intentionally be enumerating these APIs for monitoring reasons.

Business Impact

Exfiltration by an attacker of EC2 snapshots may expose details that support further attack progression, or lead to data loss.

Steps to Verify

Investigate the account context that performed this action for other signs of malicious activity.
Investigate for data loss.
If review indicates possible malicious actions or high-risk configuration, revert applicable configurations and disable credentials associated with this alert then perform a comprehensive investigation.

Related MITRE ATT&CK Techniques

See our Detections in Action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour

Ask for a custom demo

AWS Suspect Public EBS Change

Triggers

Possible Root Causes

Business Impact

Steps to Verify

Related MITRE ATT&CK Techniques

Data from Information Repositories

Data from Cloud Storage

Transfer Data to Cloud Account

See our Detections in Action

FAQs