Triggers
- A credential was observed performing a set of AWS control plane API actions related to exfiltration EC2 snapshots.
Possible Root Causes
- An attacker may be actively looking for privilege escalation opportunities
- A security or IT service may intentionally be enumerating these APIs for monitoring reasons.
Business Impact
- Exfiltration by an attacker of EC2 snapshots may expose details that support further attack progression, or lead to data loss.
Steps to Verify
- Investigate the account context that performed this action for other signs of malicious activity.
- Investigate for data loss.
- If review indicates possible malicious actions or high-risk configuration, revert applicable configurations and disable credentials associated with this alert then perform a comprehensive investigation.