Skip to content

ModifySnapshotAttribute

AWS

ModifySnapshotAttribute

service: AWS - EC2
techniques:

Event

Modifies the permissions of an EBS snapshot, such as making it public or sharing it with specific AWS accounts.

Security Context

  • Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
  • Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.

Log Source

CloudTrail

Sample Event

Adversarial — exfiltration. Draco snapshots the EBS root volume of an EC2 hosting BOWTRUCKLE secret-management workloads (a snapshot named snap-0bowtruckle0secret001), then calls ModifySnapshotAttribute to add the adversary-controlled external account 555666661337 to the snapshot’s createVolumePermission. From his account, he creates an EBS volume from the snapshot, attaches it to an EC2 he controls, and mounts the filesystem to grep for AWS keys, kubeconfigs, and .env files. T1537 + T1530.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T21:42:08Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T22:55:42Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "ModifySnapshotAttribute",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"snapshotId": "snap-0bowtruckle0secret001",
"attributeType": "CREATE_VOLUME_PERMISSION",
"createVolumePermission": {
"add": {
"items": [
{
"userId": "555666661337"
}
]
}
}
},
"responseElements": {
"requestId": "90000000-0000-4000-8000-000101011000",
"_return": true
},
"requestID": "90000000-0000-4000-8000-000101011000",
"eventID": "90000000-0000-4000-8000-000101011001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Exfiltration Collection

Techniques:
  • T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
  • T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.