ModifyImageAttribute
AWS
ModifyImageAttribute
Event
Modifies attributes of an AMI, such as making it public or sharing it with specific AWS accounts.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Creating or accessing snapshots and images can expose full disk contents, including credentials, application data, and configuration secrets.
- Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.
Log Source
CloudTrail
Sample Event
Adversarial — exfiltration. Draco identifies a hardened AMI used by the OCCAMY pipeline (ami-0occamy0base000001) — it contains baked-in agent code, internal CA certs, and a config file with a service-account API key. He calls ModifyImageAttribute to add the adversary-controlled account (555666661337) to the AMI’s launch-permission list. Once shared, he can launch an instance from it in his own account and read everything inside. T1685 (defense-impairment via low-detection-surface AWS API) + T1578 + T1537.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T21:42:08Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T22:41:09Z", "eventSource": "ec2.amazonaws.com", "eventName": "ModifyImageAttribute", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "imageId": "ami-0occamy0base000001", "launchPermission": { "add": { "items": [ { "userId": "555666661337" } ] } } }, "responseElements": { "requestId": "90000000-0000-4000-8000-000101010100", "_return": true }, "requestID": "90000000-0000-4000-8000-000101010100", "eventID": "90000000-0000-4000-8000-000101010101", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment Exfiltration Collection
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
- T1578 — Modify Cloud Compute Infrastructure — An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
- T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.