detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard

Published 20 hours ago verified publisher icon elastic

[New Rule] AWS EC2 AMI Attribute Modification

Open bm11100 opened this issue 4 years ago • 1 comments

Description

If an EC2 AMI is made public, an attacker can copy the AMI into their own account and launch an EC2 instance using that AMI and browse the contents of the disk, potentially revealing sensitive or otherwise non-public information.

Required Info

Target indexes

filebeat-* logs-aws*

Platforms

aws

Tested ECS Version

tbd

Optional Info

Query

event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifyImageAttribute and aws.cloudtrail.request_parameters:*attributeType=launchPermission* and event.outcome:success

References

https://endgame.readthedocs.io/en/latest/risks/amis/

Example Data

todo

bm11100 avatar Mar 02 '21 19:03 bm11100

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Aug 25 '21 11:08 botelastic[bot]