Skip to content

CreateSnapshot

AWS

CreateSnapshot

service: AWS - EC2
techniques:

Event

Creates a point-in-time snapshot of an EBS volume, stored durably for backup or volume duplication.

Security Context

  • Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
  • Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.

Log Source

CloudTrail

Sample Event

Adversarial. Draco creates an EBS snapshot of the OCCAMY pipeline EC2’s data volume (containing OCCAMY’s intermediate ingest state including PII batches). Stage 1 of an exfil chain — a follow-up ModifySnapshotAttribute would grant the adversary account restore permission so they can mount the volume in their own account.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-16T01:05:09Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateSnapshot",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"volumeId": "vol-0occamydata00000001",
"description": "Daily Backup"
},
"responseElements": {
"requestId": "90000000-0000-4000-8000-000010100000",
"snapshotId": "snap-0666exfilsnap6666",
"volumeId": "vol-0occamydata00000001",
"ownerId": "555123456789",
"volumeSize": 500,
"description": "Daily Backup",
"encrypted": true,
"kmsKeyId": "arn:aws:kms:us-east-1:555123456789:key/60000000-0000-4000-8000-000000000001",
"status": "pending",
"startTime": "Apr 16, 2026, 1:05:09 AM",
"progress": "0%"
},
"requestID": "90000000-0000-4000-8000-000010100000",
"eventID": "90000000-0000-4000-8000-000010100001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Collection Exfiltration

Techniques:
  • T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.
  • T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.