[Deprecation] AWS EC2 Snapshot Activity

[imays11]

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml

Description

This rule is very broad, capturing any time an EC2 instance snapshot's permission settings are modified via the ModifySnapshotAtrribute API.

This could be used to:

• grant access to a single external account add: <external.account.id>
• make the snapshot public add : all
• remove access from a single external account remove: <external.account.id>

PROBLEM:
The problem is that this rule is too generic and so captures all 3 of these very different activities. Additionally, this new rule : AWS EC2 EBS Snapshot Shared with Another Account @terrancedejesus captures the first use case listed above which means duplicate alerts for the same behavior as shown below.

SUGGESTION:

1. deprecate this rule because it's too broad
2. tune the existing new rule description, AWS EC2 EBS Snapshot Shared with Another Account, to include that this query actually captures both external account sharing and when a snapshot is made public
3. create a new rule to capture the removal of permissions for a snapshot

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[imays11]

this will be addressed this quarter as a part of AWS rule tuning effort