You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
+10-10Lines changed: 10 additions & 10 deletions
Original file line number
Diff line number
Diff line change
@@ -2,31 +2,29 @@
2
2
creation_date = "2024/04/16"
3
3
integration = ["aws"]
4
4
maturity = "production"
5
-
updated_date = "2025/01/15"
5
+
updated_date = "2025/07/16"
6
6
7
7
[rule]
8
8
author = ["Elastic"]
9
9
description = """
10
-
Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an
11
-
AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code
12
-
artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made
13
-
publicly available accidentally as well.
10
+
Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.
14
11
"""
15
12
false_positives = [
16
13
"""
17
14
AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.
15
+
AWS Marketplace subscriptions automatically result in assets.marketplace.amazonaws.com invoking ModifyImageAttribute to share the AMI with your account. This rule excludes Marketplace-invoked sharing by design. Other AWS services like workspaces.amazonaws.com and backup.amazonaws.com may invoke this action when users configure sharing through WorkSpaces or Backup plans. Review such service-invoked events to confirm they match legitimate and intended sharing configurations.
18
16
""",
19
17
]
20
-
from = "now-60m"
18
+
from = "now-6m"
21
19
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22
-
interval = "10m"
20
+
interval = "5m"
23
21
language = "kuery"
24
22
license = "Elastic License v2"
25
-
name = "EC2 AMI Shared with Another Account"
23
+
name = "AWS EC2 AMI Shared with Another Account"
26
24
note = """
27
25
## Triage and analysis
28
26
29
-
### Investigating EC2 AMI Shared with Another Account
27
+
### Investigating AWS EC2 AMI Shared with Another Account
30
28
31
29
This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control.
32
30
@@ -44,6 +42,7 @@ This rule identifies when an Amazon Machine Image (AMI) is shared with another A
44
42
45
43
- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating.
46
44
- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior.
45
+
- **AWS Services**: Some AWS services, such as WorkSpaces and Backup, automate AMI sharing when users configure cross-account sharing or disaster recovery plans. These will appear in CloudTrail with `userIdentity.invokedBy` and `source.address` fields like `workspaces.amazonaws.com` or `backup.amazonaws.com`. Confirm that such activity aligns with your organization's approved configurations.
47
46
48
47
### Response and Remediation
49
48
@@ -81,7 +80,8 @@ type = "query"
81
80
query = '''
82
81
event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
83
82
and event.action: ModifyImageAttribute and event.outcome: success
84
-
and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*)
83
+
and aws.cloudtrail.request_parameters: *add=*
84
+
and not aws.cloudtrail.user_identity.invoked_by: "assets.marketplace.amazonaws.com"
0 commit comments