Skip to content

Commit 15d71a3

Browse files
authored
[Rule Tuning] AWS EC2 AMI Shared with Another Account (#4914)
1 parent 7c45304 commit 15d71a3

File tree

1 file changed

+10
-10
lines changed

1 file changed

+10
-10
lines changed

rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2,31 +2,29 @@
22
creation_date = "2024/04/16"
33
integration = ["aws"]
44
maturity = "production"
5-
updated_date = "2025/01/15"
5+
updated_date = "2025/07/16"
66

77
[rule]
88
author = ["Elastic"]
99
description = """
10-
Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an
11-
AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code
12-
artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made
13-
publicly available accidentally as well.
10+
Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.
1411
"""
1512
false_positives = [
1613
"""
1714
AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.
15+
AWS Marketplace subscriptions automatically result in assets.marketplace.amazonaws.com invoking ModifyImageAttribute to share the AMI with your account. This rule excludes Marketplace-invoked sharing by design. Other AWS services like workspaces.amazonaws.com and backup.amazonaws.com may invoke this action when users configure sharing through WorkSpaces or Backup plans. Review such service-invoked events to confirm they match legitimate and intended sharing configurations.
1816
""",
1917
]
20-
from = "now-60m"
18+
from = "now-6m"
2119
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22-
interval = "10m"
20+
interval = "5m"
2321
language = "kuery"
2422
license = "Elastic License v2"
25-
name = "EC2 AMI Shared with Another Account"
23+
name = "AWS EC2 AMI Shared with Another Account"
2624
note = """
2725
## Triage and analysis
2826
29-
### Investigating EC2 AMI Shared with Another Account
27+
### Investigating AWS EC2 AMI Shared with Another Account
3028
3129
This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control.
3230
@@ -44,6 +42,7 @@ This rule identifies when an Amazon Machine Image (AMI) is shared with another A
4442
4543
- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating.
4644
- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior.
45+
- **AWS Services**: Some AWS services, such as WorkSpaces and Backup, automate AMI sharing when users configure cross-account sharing or disaster recovery plans. These will appear in CloudTrail with `userIdentity.invokedBy` and `source.address` fields like `workspaces.amazonaws.com` or `backup.amazonaws.com`. Confirm that such activity aligns with your organization's approved configurations.
4746
4847
### Response and Remediation
4948
@@ -81,7 +80,8 @@ type = "query"
8180
query = '''
8281
event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
8382
and event.action: ModifyImageAttribute and event.outcome: success
84-
and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*)
83+
and aws.cloudtrail.request_parameters: *add=*
84+
and not aws.cloudtrail.user_identity.invoked_by: "assets.marketplace.amazonaws.com"
8585
'''
8686

8787

0 commit comments

Comments
 (0)