AWS Suspect Public EBS Change

View all detections
AWS Suspect Public EBS Change


  • A credential was observed performing a set of AWS control plane API actions related to exfiltration EC2 snapshots.

Possible Root Causes

  • An attacker may be actively looking for privilege escalation opportunities
  • A security or IT service may intentionally be enumerating these APIs for monitoring reasons.

Business Impact

  • Exfiltration by an attacker of EC2 snapshots may expose details that support further attack progression, or lead to data loss.

Steps to Verify

  1. Investigate the account context that performed this action for other signs of malicious activity.
  2. Investigate for data loss.
  3. If review indicates possible malicious actions or high-risk configuration, revert applicable configurations and disable credentials associated with this alert then perform a comprehensive investigation.