AWS Suspect Public AMI Change
Detection overview
Triggers
- An AWS control-plane API was invoked which modified the launch permissions of an Amazon Machine Image (AMI) granting either an unknown, external account or the public the ability to launch an EC2 instance from the image.
Possible Root Causes
- An attacker may be exfiltrating data contained in the Amazon Machine Image (AMI) by sharing it externally and launching an instance from the stolen template.
- An authorized administrator may be performing a backup, disaster recovery activities or sharing the image in order to coordinate troubleshooting efforts.
Business Impact
- Exfiltration of Amazon Machine Images (AMI) by an attacker may expose details that support further attack progression. An impacted organization may incur data loss, impacting the confidentiality of sensitive information contained in the impacted Amazon Machine Images (AMIs).
Steps to Verify
- Investigate the Principal that performed the actions for other signs of malicious activity.
- Investigate the affected AMI for potential data loss.
- Validate that any modifications to AMI launch permissions are authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration:
- Revert any configuration changes.
- Disable credentials associated with this alert.
- Perform a comprehensive investigation to determine initial compromise and scope of impacted resources.
AWS Suspect Public AMI Change
Possible root causes
Malicious Detection
Benign Detection
AWS Suspect Public AMI Change
Example scenarios
AWS Suspect Public AMI Change
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Suspect Public AMI Change
Steps to investigate
AWS Suspect Public AMI Change
Related detections
No items found.