AWS EC2 export task was initiated to an unknown S3 bucket
Description
AlphaSOC detected the initiation of an AWS EC2 export task. This operation allows Amazon EC2 instance data to be exported to an S3 bucket as a virtual machine image file. This can be exploited by threat actors to exfiltrate sensitive data or entire virtual machine images from the AWS environment. Actions initiated by AWS services and export task initiation attempts are exempt from the detection to avoid false positives.
Impact
An unauthorized EC2 export task can result in significant data exposure, allowing threat actors to exfiltrate entire virtual machine images, including sensitive data, configurations, and credentials. This could lead to theft of intellectual property, exposure of customer data, or provide attackers with detailed infrastructure information for further attacks.
Severity
Severity | Condition |
---|---|
Low | Anomalous EC2 export task initiation |
Medium | EC2 export task initiated to an unknown S3 bucket |
Investigation and Remediation
Investigate the legitimacy of the EC2 export task by verifying with the system administrators if this was a planned activity. If unauthorized, immediately cancel the export task and revoke the permissions of the compromised account. Analyze the targeted EC2 instance for signs of compromise and review the contents of the associated S3 bucket.
Known False Positives
- Legitimate export to a new S3 bucket