Live Active security incident? Get immediate response
MITRE ATT&CK® Data Component

DC0058: Snapshot Modification

Changes made to a cloud snapshot's metadata, attributes, or control settings. These modifications may involve adjusting access permissions, changing retention policies, or altering encryption settings.

*Data Collection Measures:*

- AWS CloudTrail - Tracks API calls such as `ModifySnapshotAttribute`, `ResetSnapshotAttribute`, and `ModifySnapshotTier`. - Azure Monitor Logs - Logs changes via `Microsoft.Compute/snapshots/write`. - Google Cloud Logging - Captures modifications through `compute.snapshots.setIamPolicy` and `compute.snapshots.patch`.

EnterpriseDC0058Data ComponentObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Snapshot Modification is a cloud audit signal for changes to snapshot permissions, retention, encryption, metadata, or related control settings. For leaders, the value is not just knowing that a snapshot changed; it is knowing whether those changes could affect data exposure, recovery readiness, evidence preservation, or cloud governance.

Executive priority

Prioritize this data component where cloud snapshots are used for backup, recovery, migration, investigation, or compliance evidence. Security and risk owners should ask whether snapshot changes are centrally logged, reviewed, and tied to approved change activity, because unauthorized or poorly governed changes can undermine recovery objectives, data protection expectations, and audit confidence.

Technical view

SOC, cloud security, and IR teams should validate collection of cloud control-plane events related to snapshot modification. The supplied ATT&CK data collection measures identify AWS CloudTrail events such as ModifySnapshotAttribute, ResetSnapshotAttribute, and ModifySnapshotTier; Azure Monitor Logs activity such as Microsoft.Compute/snapshots/write; and Google Cloud Logging activity such as compute.snapshots.setIamPolicy and compute.snapshots.patch. Detection content is not provided by ATT&CK for this data component, so teams should build local logic around who changed what, when, from where, and whether the change aligns with approved operations.

Likely telemetry

  • AWS CloudTrail records for snapshot modification APIs, including ModifySnapshotAttribute, ResetSnapshotAttribute, and ModifySnapshotTier
  • Azure Monitor Logs for Microsoft.Compute/snapshots/write activity
  • Google Cloud Logging records for compute.snapshots.setIamPolicy and compute.snapshots.patch
  • Cloud identity context associated with the modifying principal
  • Snapshot metadata, permission, retention, tiering, and encryption-setting change history where available

Detection direction

  • Validate that cloud control-plane logging is enabled and retained long enough to support incident response and compliance review.
  • Create review logic for snapshot permission changes, encryption-setting changes, retention-policy changes, and tier or attribute modifications.
  • Tune alerts against expected administrative and backup workflows to reduce false positives from routine lifecycle management.
  • Correlate snapshot changes with identity context, source location, time of day, and approved change records.
  • Pay special attention to blind spots where snapshot logging is not centralized, cloud accounts or subscriptions are excluded, or logs are retained for less time than investigation requirements.

Mitigation priorities

  • Establish ownership and change-control expectations for cloud snapshots used in backup, recovery, migration, or evidence workflows.
  • Restrict who can modify snapshot permissions, retention, encryption, and related control settings using least-privilege access practices.
  • Ensure AWS CloudTrail, Azure Monitor Logs, and Google Cloud Logging coverage is enabled for relevant environments where those services are used.
  • Retain snapshot modification logs for incident response, audit, and compliance needs.
  • Periodically review snapshot access and configuration changes against policy and approved operational activity.
Analyst notes and limits

This ATT&CK object is a data component, not a technique. Its defensive value is as evidence that cloud snapshot control settings changed. The official object provides collection measures for AWS, Azure, and Google Cloud logging sources, but no detection analytics, tactics, platforms, or relationship context were supplied.

The object does not provide official detection logic, tactic mappings, platform values, or related techniques. Local cloud inventory, IAM model, backup architecture, retention requirements, and change-management data are required to determine materiality and alerting thresholds.

Official MITRE ATT&CK definition

Snapshot Modification

Changes made to a cloud snapshot's metadata, attributes, or control settings. These modifications may involve adjusting access permissions, changing retention policies, or altering encryption settings.

*Data Collection Measures:*

- AWS CloudTrail - Tracks API calls such as `ModifySnapshotAttribute`, `ResetSnapshotAttribute`, and `ModifySnapshotTier`. - Azure Monitor Logs - Logs changes via `Microsoft.Compute/snapshots/write`. - Google Cloud Logging - Captures modifications through `compute.snapshots.setIamPolicy` and `compute.snapshots.patch`.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
c29507b2621e95f0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle c29507b2621e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DC0058
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use