SharedSnapshotVolumeCreated
AWS
SharedSnapshotVolumeCreated
Event
Records the creation of an EBS volume from a snapshot shared by another AWS account.
Security Context
- Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
- Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.
Log Source
CloudTrail
Sample Event
SharedSnapshotVolumeCreated fires in Fantastic Logs’s own (victim’s) CloudTrail when Draco creates an EBS volume in 555666661337 from the shared snapshot snap-0phoenix000000007 — completing the exfil chain (ModifySnapshotAttribute share → SharedSnapshotVolumeCreated). Once the volume is attached to one of his instances, he can read every byte. As with SharedSnapshotCopyInitiated, the owner’s trail only sees the consuming account at AWSAccount granularity. T1537 + T1530.
{ "eventVersion": "1.09", "userIdentity": { "type": "AWSAccount", "principalId": "AROADRAC0EXTERNAL666", "accountId": "555666661337", "invokedBy": "AWS Internal" }, "eventTime": "2026-04-15T20:42:18Z", "eventSource": "ec2.amazonaws.com", "eventName": "SharedSnapshotVolumeCreated", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "serviceEventDetails": { "snapshotId": "snap-0phoenix000000007", "availabilityZone": "us-west-2a", "accountId": "555666661337" }, "eventID": "90000000-0000-4000-8000-000110110001", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Collection Exfiltration
Techniques:
- T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.