AWS EBS/RDS snapshot copied
Description
AlphaSOC detected that an AWS EBS or RDS snapshot was copied using the
CopyDBClusterSnapshot, CopyDBSnapshot, or CopySnapshot API action. These
actions create copies of existing snapshots, which contain point-in-time backups
of storage volumes or databases. Threat actors may copy snapshots to external
accounts or regions as a method of data exfiltration.
Impact
Unauthorized snapshot copying can lead to data breaches as snapshots often contain complete copies of production databases or file systems with sensitive information. This activity may indicate an attempt to exfiltrate intellectual property, customer data, or other confidential information from your AWS infrastructure.
Severity
| Severity | Condition |
|---|---|
Informational | AWS EBS/RDS snapshot copied |
Investigation and Remediation
Review AWS CloudTrail logs to identify who initiated the snapshot copy, the destination account or region, and verify whether this action was authorized. Check if the destination is within your organization's control. If unauthorized, immediately revoke the compromised credentials, delete any unauthorized snapshot copies, and audit CloudTrail logs for other suspicious activities by the same principal.