EC2 Create Snapshot
EBS volume snapshot creation event
AWS EC2 CreateSnapshot API call for creating EBS volume snapshots
aws
ec2
ebs
snapshot
backup
data-protection
JSON Format
12 Fields
High Frequency
Generator
Overview
Records when AWS EC2 EBS volume snapshots are created via the CreateSnapshot API. Snapshots are point-in-time copies of EBS volumes used for backup, disaster recovery, and data migration.
When Generated:
- During automated backup processes (typically nights/weekends)
- Before major system updates or deployments
- For disaster recovery preparation
- When migrating data between regions or accounts
- During security testing (red team activities)
- For development environment provisioning
- Before risky maintenance operations
Security Relevance:
MediumCompliance:
SOC 2
PCI DSS
HIPAA
GDPR
SOX
ISO 27001
Frequency Notes:
High frequency - automated backup systems create many snapshots, especially during off-hours
Resources
Documentation
- AWS EC2 CreateSnapshot API Reference official
- EBS Snapshot Best Practices official
- EBS Snapshot Encryption official
Tools
-
AWS EC2 Console
Web interface for managing EC2 instances and EBS resources
-
AWS CLI EC2 Commands
Command-line interface for EC2 snapshot operations
-
AWS Backup
Centralized backup service for AWS resources
Generation Configuration
Base Frequency: 45 events/hour
Time Patterns:
business_hours
night_hours
weekend
Business Hours Multiplier: 1.5x
Night Hours Multiplier: 2.0x
Weekend Multiplier: 1.2x
Field Definitions
Complete field reference for this event type with data types, descriptions, and example values.
| Field Name | Type | Required | Format | Description | Example | Possible Values |
|---|---|---|---|---|---|---|
|
requestParameters.volumeId
Source: Generated with proper vol- prefix
|
String | Required |
vol-[17 character hex string]
|
ID of the EBS volume being snapshotted |
vol-0363e53e12f67c9b7
|
— |
|
responseElements.snapshotId
Source: Generated with proper snap- prefix
|
String | Optional |
snap-[17 character hex string]
|
ID of the created snapshot (on success) |
snap-02effb3bb62786b18
|
— |
|
responseElements.status
Source: Static value (always pending for new snapshots)
|
String | Optional | — | Initial status of the snapshot |
pending
|
— |
|
responseElements.volumeSize
Source: Random selection from common EBS sizes
|
String | Optional | — | Size of the volume in GB |
100
|
1
— Minimum EBS volume size (testing)
8
— Default EC2 instance root volume
100
— Common application volume size
500
— Large application volume
1000
— Database or large storage volume
|
|
responseElements.encrypted
Source: Random boolean (encryption adoption varies)
|
Boolean | Optional | — | Whether the snapshot is encrypted |
true
|
— |
|
requestParameters.tagSpecificationSet
Source: Random selection from common tagging patterns
|
Object | Optional | — | Tags to apply to the created snapshot |
{"items": [{"resourceType": "snapshot", "tags": [{"key": "Environment", "value": "prod"}]}]}
|
— |
|
errorCode
Source: Random selection when error occurs (1 in 8 chance)
|
String | Optional | — | Error code when snapshot creation fails |
Client.InvalidVolume.NotFound
|
Client.InvalidVolume.NotFound
— Volume does not exist
Client.IncorrectState
— Volume not in snapshotable state
UnauthorizedOperation
— Insufficient permissions
Client.InvalidVolume.ZoneMismatch
— Volume in wrong availability zone
|
|
userAgent
Source: Random selection from realistic EC2 user agents
|
String | Required | — | Client application used for the API call |
APN/1.0 HashiCorp/1.0 Terraform/1.1.2
|
terraform-provider-aws/*
— Infrastructure as Code deployments
aws-cli/*
— Command line automation
console.ec2.amazonaws.com
— Manual AWS Console operations
aws-sdk-python/*
— Python automation scripts
stratus-red-team_*
— Security testing tool
|
|
responseElements.startTime
Source: Current timestamp in milliseconds
|
Integer | Optional |
Unix timestamp in milliseconds
|
Timestamp when snapshot creation started |
1679351478226
|
— |
|
awsRegion
Source: Random selection from common AWS regions
|
String | Required | — | AWS region where the snapshot was created |
us-west-2
|
— |
|
userIdentity.type
Source: Random selection (IAMUser vs AssumedRole)
|
String | Required | — | Type of AWS identity creating the snapshot |
AssumedRole
|
IAMUser
— Direct IAM user (often service accounts)
AssumedRole
— Role assumption (federated or automation)
|
|
tlsDetails
Source: Generated for Console and Terraform user agents
|
Object | Optional | — | TLS connection details for HTTPS calls |
{"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256"}
|
— |
Details
12
Fields
High
Frequency
6
Tags
ec2_create_snapshot
Event Type
Tags:
aws
ec2
ebs
snapshot
backup
data-protection
Feedback
No ratings yet