Delete EBS Snapshot¶
An adversary may attempt to delete an EBS snapshot
|snapshotid||str||ID of the snapshot that you want to delete||snapshot_ID|
aws ec2 delete-snapshot --snapshot-id snapshot_ID
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:DeleteSnapshot AND eventSource:*.ec2.amazonaws.com
--- title: Delete EBS Snapshot id: testing status: experimental author: Anela Tiro date: 2023-07-01 description: An adversary may attempt to delete an EBS snapshot logsource: service: cloudtrail detection: selection_source: - eventSource: "*.ec2.amazonaws.com" events: - eventName: "DeleteSnapshot" condition: selection_source AND events level: low tags: - attack.T1537