ModifySnapshotAttribute
AWS
ModifySnapshotAttribute
Event
Modifies the permissions of an EBS snapshot, such as making it public or sharing it with specific AWS accounts.
Security Context
- Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
- Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.
Log Source
CloudTrail
Sample Event
Adversarial — exfiltration. Draco snapshots the EBS root volume of an EC2 hosting BOWTRUCKLE secret-management workloads (a snapshot named snap-0bowtruckle0secret001), then calls ModifySnapshotAttribute to add the adversary-controlled external account 555666661337 to the snapshot’s createVolumePermission. From his account, he creates an EBS volume from the snapshot, attaches it to an EC2 he controls, and mounts the filesystem to grep for AWS keys, kubeconfigs, and .env files. T1537 + T1530.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T21:42:08Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T22:55:42Z", "eventSource": "ec2.amazonaws.com", "eventName": "ModifySnapshotAttribute", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "snapshotId": "snap-0bowtruckle0secret001", "attributeType": "CREATE_VOLUME_PERMISSION", "createVolumePermission": { "add": { "items": [ { "userId": "555666661337" } ] } } }, "responseElements": { "requestId": "90000000-0000-4000-8000-000101011000", "_return": true }, "requestID": "90000000-0000-4000-8000-000101011000", "eventID": "90000000-0000-4000-8000-000101011001", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Exfiltration Collection
Techniques:
- T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.