Skip to content

[Rule Tuning] AWS EC2 AMI Shared with Another Account #4914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jul 21, 2025
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -2,31 +2,29 @@
creation_date = "2024/04/16"
integration = ["aws"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/07/16"

[rule]
author = ["Elastic"]
description = """
Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an
AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code
artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made
publicly available accidentally as well.
Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.
"""
false_positives = [
"""
AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.
AWS Marketplace subscriptions automatically result in assets.marketplace.amazonaws.com invoking ModifyImageAttribute to share the AMI with your account. This rule excludes Marketplace-invoked sharing by design. Other AWS services like workspaces.amazonaws.com and backup.amazonaws.com may invoke this action when users configure sharing through WorkSpaces or Backup plans. Review such service-invoked events to confirm they match legitimate and intended sharing configurations.
""",
]
from = "now-60m"
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
interval = "5m"
language = "kuery"
license = "Elastic License v2"
name = "EC2 AMI Shared with Another Account"
name = "AWS EC2 AMI Shared with Another Account"
note = """
## Triage and analysis

### Investigating EC2 AMI Shared with Another Account
### Investigating AWS EC2 AMI Shared with Another Account

This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control.

Expand All @@ -44,6 +42,7 @@ This rule identifies when an Amazon Machine Image (AMI) is shared with another A

- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating.
- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior.
- **AWS Services**: Some AWS services, such as WorkSpaces and Backup, automate AMI sharing when users configure cross-account sharing or disaster recovery plans. These will appear in CloudTrail with `userIdentity.invokedBy` and `source.address` fields like `workspaces.amazonaws.com` or `backup.amazonaws.com`. Confirm that such activity aligns with your organization's approved configurations.

### Response and Remediation

Expand Down Expand Up @@ -81,7 +80,8 @@ type = "query"
query = '''
event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com"
and event.action: ModifyImageAttribute and event.outcome: success
and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*)
and aws.cloudtrail.request_parameters: *add=*
and not aws.cloudtrail.user_identity.invoked_by: "assets.marketplace.amazonaws.com"
'''


Expand Down
Loading