EC2 Create Snapshot | LogForge Templates Registry

aws ec2 ebs snapshot backup data-protection

📄 JSON Format

📊 12 Fields

✨ Generator

⏱️ High Frequency

Overview

Records when AWS EC2 EBS volume snapshots are created via the CreateSnapshot API. Snapshots are point-in-time copies of EBS volumes used for backup, disaster recovery, and data migration.

When Generated:

During automated backup processes (typically nights/weekends)
Before major system updates or deployments
For disaster recovery preparation
When migrating data between regions or accounts
During security testing (red team activities)
For development environment provisioning
Before risky maintenance operations

Security Relevance: Medium

Compliance: SOC 2 PCI DSS HIPAA GDPR SOX ISO 27001

Frequency Notes: High frequency - automated backup systems create many snapshots, especially during off-hours

Resources

Documentation

AWS EC2 CreateSnapshot API Reference official
EBS Snapshot Best Practices official
EBS Snapshot Encryption official

Tools

AWS EC2 Console - Web interface for managing EC2 instances and EBS resources
AWS CLI EC2 Commands - Command-line interface for EC2 snapshot operations
AWS Backup - Centralized backup service for AWS resources

Generation Configuration

Base Frequency: 45 events/hour

Time Patterns: business_hours night_hours weekend

Business Hours Multiplier: 1.5x

Night Hours Multiplier: 2.0x

Weekend Multiplier: 1.2x

Details

ec2_create_snapshot

Event Type

Fields

High

Frequency

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example Value	Possible Values
requestParameters.volumeId Source: Generated with proper vol- prefix	String	Required	`vol-[17 character hex string]`	ID of the EBS volume being snapshotted	`vol-0363e53e12f67c9b7`	—
responseElements.snapshotId Source: Generated with proper snap- prefix	String	Optional	`snap-[17 character hex string]`	ID of the created snapshot (on success)	`snap-02effb3bb62786b18`	—
responseElements.status Source: Static value (always pending for new snapshots)	String	Optional	—	Initial status of the snapshot	`pending`	—
responseElements.volumeSize Source: Random selection from common EBS sizes	String	Optional	—	Size of the volume in GB	`100`	`1` - Minimum EBS volume size (testing) `8` - Default EC2 instance root volume `100` - Common application volume size `500` - Large application volume `1000` - Database or large storage volume
responseElements.encrypted Source: Random boolean (encryption adoption varies)	Boolean	Optional	—	Whether the snapshot is encrypted	`true`	—
requestParameters.tagSpecificationSet Source: Random selection from common tagging patterns	Object	Optional	—	Tags to apply to the created snapshot	`{"items": [{"resourceType": "snapshot", "tags": [{"key": "Environment", "value": "prod"}]}]}`	—
errorCode Source: Random selection when error occurs (1 in 8 chance)	String	Optional	—	Error code when snapshot creation fails	`Client.InvalidVolume.NotFound`	`Client.InvalidVolume.NotFound` - Volume does not exist `Client.IncorrectState` - Volume not in snapshotable state `UnauthorizedOperation` - Insufficient permissions `Client.InvalidVolume.ZoneMismatch` - Volume in wrong availability zone
userAgent Source: Random selection from realistic EC2 user agents	String	Required	—	Client application used for the API call	`APN/1.0 HashiCorp/1.0 Terraform/1.1.2`	`terraform-provider-aws/` - Infrastructure as Code deployments `aws-cli/` - Command line automation `console.ec2.amazonaws.com` - Manual AWS Console operations `aws-sdk-python/` - Python automation scripts `stratus-red-team_` - Security testing tool
responseElements.startTime Source: Current timestamp in milliseconds	Integer	Optional	`Unix timestamp in milliseconds`	Timestamp when snapshot creation started	`1679351478226`	—
awsRegion Source: Random selection from common AWS regions	String	Required	—	AWS region where the snapshot was created	`us-west-2`	—
userIdentity.type Source: Random selection (IAMUser vs AssumedRole)	String	Required	—	Type of AWS identity creating the snapshot	`AssumedRole`	`IAMUser` - Direct IAM user (often service accounts) `AssumedRole` - Role assumption (federated or automation)
tlsDetails Source: Generated for Console and Terraform user agents	Object	Optional	—	TLS connection details for HTTPS calls	`{"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256"}`	—