An AWS EBS snapshot was modified to allow public access
Description
AlphaSOC detected that an Amazon Elastic Block Store (EBS) snapshot has been modified to allow public access. This action exposes sensitive data stored in the snapshot to unauthorized users on the Internet. EBS snapshots are point-in-time copies of EBS volumes that often contain critical data. Permissions added for specific AWS accounts or internal groups are excluded from the detection to avoid false positives and focus only on changes that would make the snapshot available to everyone.
Impact
Publicly available EBS snapshots can lead to data exposure, potentially resulting in unauthorized access to sensitive information, intellectual property, or customer data. Threat actors could exploit this misconfiguration to gather intelligence or launch further attacks against the organization's infrastructure.
Severity
Severity | Condition |
---|---|
Medium | Modified AWS EBS snapshot detected |
Investigation and Remediation
Immediately investigate the specific EBS snapshot that was made public. Review the contents of the snapshot to assess the potential impact of the exposure. Reset the snapshot's permissions to private and ensure that no unauthorized access has occurred.
Known False Positives
- Temporary public sharing for legitimate data transfer between AWS accounts
- Intentional public sharing of non-sensitive, public data snapshots
- Testing activities in development environments with dummy data