Modify Cloud Compute Infrastructure:  Создание снапшота

Обнаружение

The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account. In AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.(Citation: AWS Cloud Trail Backup API). In Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the "sourceSnapshot": parameter pointed to "global/snapshots/[BOOT_SNAPSHOT_NAME].(Citation: GCP - Creating and Starting a VM)

Ссылки

1. Google. (2020, April 23). Creating and Starting a VM instance. Retrieved May 1, 2020.
2. Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
3. Microsoft. (2019, June 4). Monitor at scale by using Azure Monitor. Retrieved May 1, 2020.
4. Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail. Retrieved April 27, 2020.
5. Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.