[New Rule] AWS EC2 AMI Attribute Modification

## Description
If an EC2 AMI is made public, an attacker can copy the AMI into their own account and launch an EC2 instance using that AMI and browse the contents of the disk, potentially revealing sensitive or otherwise non-public information.

## Required Info

### Target indexes
`filebeat-*`
`logs-aws*`

### Platforms
`aws`

### Tested ECS Version
tbd

## Optional Info

### Query
```
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifyImageAttribute and aws.cloudtrail.request_parameters:*attributeType=launchPermission* and event.outcome:success
```

### References
https://endgame.readthedocs.io/en/latest/risks/amis/

## Example Data
todo

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[New Rule] AWS EC2 AMI Attribute Modification #968

Description

Required Info

Target indexes

Platforms

Tested ECS Version

Optional Info

Query

References

Example Data

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[New Rule] AWS EC2 AMI Attribute Modification #968

Description

Description

Required Info

Target indexes

Platforms

Tested ECS Version

Optional Info

Query

References

Example Data

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions