Daily Blog #672: AWS EBS Snapshot Block Access

AWS EBS Snapshot Block Access

Hello Reader,
     It's time for to be side tracked. I've been exploring pancake viewer in the past few daily blog, and I do plan to get back to that, but for now I read about something that AWS has published back in December of 2019 (aka the before times) which you can read here:


I don't remember what crossed my feed to direct me there but once I read it I knew at once this was something I needed to test. Let me explain.

1. This API is similar to one Microsoft has in Azure that allows you to access individual 512k blocks that make up a VHD stores as a blog in Azure.
2. This API allows you, in the language of your choice, to read individual 512k blocks (think sectors) out of a snapshot
3. That means you can triage a AWS snapshot like it was a physical disk, skipping through sectors rather than transferring/imaging the whole thing

This is amazing and where the entire field of Cloud IR needs to go to be fast and silent You can create a snapshot without an agent, write blocker or letting the attacker know you're there. Even better with a quick Lambda you can do this automatically and then kick off a triage process to do it for you and then email you when its done.

This is actual API call you make:


I decided to test this out by spinning up a new free tier Amazon Linux AMI, giving it a Admin IAM role to access my EBS stores and then from the CLI I created the snapshot. From within python I then pulled and printed the first EBS Block.

Also in the video I thought I couldn't do this through the CLI, turns out I was just calling the wrong stub. You can absolutely do it through the CLI with the following command:
aws ebs get-snapshot-blocks --snapshot-id= --block-index --block-token

To me this is amazing and I plan to expand on this example in the coming week.

Watch below for a Test Kitchen of me grabbing the first block/sector out of the snapshot getting the EFI header of my Amazon Linux AMI disk.

Post a Comment