Skip to main content

An AWS EBS snapshot was modified to allow public access

ID:aws_ebs_snapshot_public
Data type:AWS CloudTrail
Severity:
Medium
MITRE ATT&CK:TA0010:T1537

Description

AlphaSOC detected that an Amazon Elastic Block Store (EBS) snapshot has been modified to allow public access. This action exposes sensitive data stored in the snapshot to unauthorized users on the Internet. EBS snapshots are point-in-time copies of EBS volumes that often contain critical data. Permissions added for specific AWS accounts or internal groups are excluded from the detection to avoid false positives and focus only on changes that would make the snapshot available to everyone.

Impact

Publicly available EBS snapshots can lead to data exposure, potentially resulting in unauthorized access to sensitive information, intellectual property, or customer data. Threat actors could exploit this misconfiguration to gather intelligence or launch further attacks against the organization's infrastructure.

Severity

SeverityCondition
Medium
Modified AWS EBS snapshot detected

Investigation and Remediation

Immediately investigate the specific EBS snapshot that was made public. Review the contents of the snapshot to assess the potential impact of the exposure. Reset the snapshot's permissions to private and ensure that no unauthorized access has occurred.

Known False Positives

  • Temporary public sharing for legitimate data transfer between AWS accounts
  • Intentional public sharing of non-sensitive, public data snapshots
  • Testing activities in development environments with dummy data