AWS EBS snapshot copied
Description
AlphaSOC detected an AWS EBS snapshot copy operation. Attackers may copy EBS snapshots to exfiltrate data contained in EC2 instance volumes. Snapshots can contain sensitive information including credentials, application data, and database files that would otherwise require direct instance access.
Impact
EBS snapshot copies can expose all data stored on EC2 volumes, including credentials, configuration files, and application data. Attackers may copy snapshots to their own accounts for offline analysis or to extract sensitive data. Cross-region copies may indicate data staging for exfiltration.
Severity
| Severity | Condition |
|---|---|
Low | AWS EBS snapshot copied |
Investigation and Remediation
Review the snapshot copy operation including the destination region or account. Verify the identity that initiated the copy and confirm it was authorized. Examine the source volume contents to understand potential data exposure. If unauthorized, delete the copied snapshot and investigate the identity for compromise.
Known False Positives
- Legitimate disaster recovery and backup operations
- Cross-region replication for high availability
- Migration activities between regions or accounts