Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
3 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A running or stopped instance was exported to an Amazon S3 bucket.
Attacker's Goals
An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.
Investigative actions
- Check the identity which exported the instance.
- Check to which S3 bucket the EC2 was exported into.
- Check the S3 bucket permission and policy.