detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[Deprecation] AWS EC2 Snapshot Activity

Open imays11 opened this issue 1 year ago • 2 comments

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml

Description

This rule is very broad, capturing any time an EC2 instance snapshot's permission settings are modified via the ModifySnapshotAtrribute API.

This could be used to:

  • grant access to a single external account add: <external.account.id>
  • make the snapshot public add : all
  • remove access from a single external account remove: <external.account.id>

PROBLEM: The problem is that this rule is too generic and so captures all 3 of these very different activities. Additionally, this new rule : AWS EC2 EBS Snapshot Shared with Another Account @terrancedejesus captures the first use case listed above which means duplicate alerts for the same behavior as shown below.

Screenshot 2024-07-18 at 4 17 25 PM

SUGGESTION:

  1. deprecate this rule because it's too broad
  2. tune the existing new rule description, AWS EC2 EBS Snapshot Shared with Another Account, to include that this query actually captures both external account sharing and when a snapshot is made public
  3. create a new rule to capture the removal of permissions for a snapshot

imays11 avatar Jul 18 '24 21:07 imays11

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Sep 16 '24 22:09 botelastic[bot]

this will be addressed as a part of AWS rule tuning effort

imays11 avatar Sep 17 '24 03:09 imays11