AWS Cloud Trail AWS EBS Snapshot Publicly Exposed
Query
// https://github.com/FalconForceTeam/FalconFriday/blob/master/Collection/0xFF-0236-Resource_Shared_with_Unknown_External_Account-AWS.md
let _SharedAWSAccounts = toscalar(
_GetWatchlist("AccountId-AuditAWSAccounts")
| where Notes has "[ShareSnapshot]"
| summarize make_list(AccountId)
);
AWSCloudTrail
| where EventName == "ModifySnapshotAttribute"
| mv-expand Item = todynamic(RequestParameters)["createVolumePermission"]["add"]["items"]
| where isnotempty(Item)
| where Item["userId"] contains "*" or not(tostring(Item["userId"]) in (_SharedAWSAccounts)) or Item or Item["group"] has "all"
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL query is designed to identify and analyze AWS CloudTrail events where an Amazon EBS snapshot's permissions have been modified to share it with external accounts that are either unknown or not pre-approved. Here's a simplified breakdown of what the query does:
-
Define a List of Approved Accounts:
- It retrieves a list of AWS account IDs from a watchlist named "AccountId-AuditAWSAccounts" that are marked with the note "[ShareSnapshot]". These are considered approved accounts for sharing snapshots.
-
Filter CloudTrail Events:
- It looks at the
AWSCloudTraillogs for events where theEventNameis "ModifySnapshotAttribute". This event indicates changes to the sharing permissions of an EBS snapshot.
- It looks at the
-
Expand and Filter Permissions:
- The query expands the
createVolumePermissionattribute to check the list of accounts or groups that have been added to the snapshot's permissions. - It filters out events where:
- The
userIdcontains a wildcard ("*"), indicating a broad or potentially insecure permission. - The
userIdis not in the list of approved accounts (_SharedAWSAccounts). - The permission is granted to the "all" group, which means the snapshot is publicly accessible.
- The
- The query expands the
-
Invoke Additional Information:
- It calls a function
AWSIdentityRole()to gather more details about the identity roles involved in the event.
- It calls a function
-
Select Relevant Data:
- Finally, it projects (selects) various fields from the event logs to provide detailed information about the event, such as the time it occurred, the identity and role of the user who made the change, the AWS region, the source IP address, and other relevant metadata.
In summary, this query helps identify potentially risky or unauthorized sharing of AWS EBS snapshots by checking for modifications that involve unknown or unapproved external accounts.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
AWSCloudTrail
Keywords
AWSCloudTrailAWSIdentityRoleAccountIdUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameEventNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId
Operators
lettoscalar_GetWatchlistwherehassummarizemake_listmv-expandtodynamicisnotemptycontainsnottostringinorinvokeproject