An AWS EC2 instance containing sensitive data was exported

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-05-18
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

3 Days

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

Cloud

Detector Tags

Cloud Data Asset Stealth Tactics, Data Detection & Response

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Informational

Description

A EC2 instance was exported to an S3 bucket.
The instance was found to contain sensitive data.

Attacker's Goals

An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.

Investigative actions

  • Check the identity that exported the instance.
  • Check to which S3 bucket the EC2 was exported into.
  • Check the S3 bucket permission and policy.