AWS EC2 instance exported into S3

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

3 Days

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Informational

Description

A running or stopped instance was exported to an Amazon S3 bucket.

Attacker's Goals

An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.

Investigative actions

  • Check the identity which exported the instance.
  • Check to which S3 bucket the EC2 was exported into.
  • Check the S3 bucket permission and policy.