Query Details

AWS Cloud Trail AWS EBS Snapshot Publicly Exposed

Query

// https://github.com/FalconForceTeam/FalconFriday/blob/master/Collection/0xFF-0236-Resource_Shared_with_Unknown_External_Account-AWS.md
let _SharedAWSAccounts = toscalar(
    _GetWatchlist("AccountId-AuditAWSAccounts")
    | where Notes has "[ShareSnapshot]"
    | summarize make_list(AccountId)
);
AWSCloudTrail
| where EventName == "ModifySnapshotAttribute"
| mv-expand Item = todynamic(RequestParameters)["createVolumePermission"]["add"]["items"]
| where isnotempty(Item)
| where Item["userId"] contains "*" or not(tostring(Item["userId"]) in (_SharedAWSAccounts)) or Item or Item["group"] has "all"
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL query is designed to identify and analyze AWS CloudTrail events where an Amazon EBS snapshot's permissions have been modified to share it with external accounts that are either unknown or not pre-approved. Here's a simplified breakdown of what the query does:

  1. Define a List of Approved Accounts:

    • It retrieves a list of AWS account IDs from a watchlist named "AccountId-AuditAWSAccounts" that are marked with the note "[ShareSnapshot]". These are considered approved accounts for sharing snapshots.
  2. Filter CloudTrail Events:

    • It looks at the AWSCloudTrail logs for events where the EventName is "ModifySnapshotAttribute". This event indicates changes to the sharing permissions of an EBS snapshot.
  3. Expand and Filter Permissions:

    • The query expands the createVolumePermission attribute to check the list of accounts or groups that have been added to the snapshot's permissions.
    • It filters out events where:
      • The userId contains a wildcard ("*"), indicating a broad or potentially insecure permission.
      • The userId is not in the list of approved accounts (_SharedAWSAccounts).
      • The permission is granted to the "all" group, which means the snapshot is publicly accessible.
  4. Invoke Additional Information:

    • It calls a function AWSIdentityRole() to gather more details about the identity roles involved in the event.
  5. Select Relevant Data:

    • Finally, it projects (selects) various fields from the event logs to provide detailed information about the event, such as the time it occurred, the identity and role of the user who made the change, the AWS region, the source IP address, and other relevant metadata.

In summary, this query helps identify potentially risky or unauthorized sharing of AWS EBS snapshots by checking for modifications that involve unknown or unapproved external accounts.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailAWSIdentityRoleAccountIdUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameEventNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Operators

lettoscalar_GetWatchlistwherehassummarizemake_listmv-expandtodynamicisnotemptycontainsnottostringinorinvokeproject

Actions

GitHub