DC0092: Volume Modification
Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)
Analyst context for executives and security teams
Volume Modification is a cloud data component for changes to a cloud storage volume’s settings or control data, such as an AWS modify-volume action. For leaders, its value is not that it describes an attack by itself, but that it identifies a class of cloud control-plane evidence needed to understand when critical storage has been changed. If this evidence is missing, teams may struggle to explain storage configuration changes during an incident, validate change control, or prove that cloud volume settings remained within policy.
Executive priority
Prioritize this as a cloud security and audit-readiness visibility question: can the organization reliably see, retain, and review changes to cloud volume configuration and control data? This matters for operational resilience because cloud volumes often support business systems, backups, databases, and forensic evidence. It also matters for incident response and compliance because volume changes may need to be tied back to an approved user, role, automation, or change ticket.
Technical view
SOC, cloud security, and IR teams should validate that cloud volume modification events are captured from the relevant cloud control plane, including the actor, target volume, time, request parameters, source context, and result. Because ATT&CK provides no tactic, platform list, relationship context, or detection guidance for this data component, local use cases should drive analytics: approved change validation, unexpected setting changes, high-risk volume changes outside maintenance windows, and changes performed by unusual identities or automation.
Likely telemetry
- Cloud control-plane audit logs for volume modification events
- Cloud storage or block-volume configuration history
- Identity and access records showing the user, role, service account, or automation that made the change
- Change-management records for approved volume configuration changes
- Asset inventory or cloud configuration management data for affected volumes
Detection direction
- Confirm that volume modification events are logged and retained for all in-scope cloud accounts, projects, or subscriptions where cloud volumes are used.
- Baseline normal administrative and automation-driven volume changes to reduce false positives from routine scaling, maintenance, or infrastructure-as-code activity.
- Correlate volume changes with identity context, change tickets, and asset criticality to distinguish expected operations from changes requiring investigation.
- Review blind spots where logs are disabled, retained too briefly, not centralized, or lack request parameters needed to understand what changed.
- Because MITRE provides no official detection text for this component, treat detections as environment-specific validations rather than guaranteed coverage.
Mitigation priorities
- Ensure cloud audit logging and centralized retention cover volume modification events.
- Limit who or what can modify cloud volume settings through least-privilege access and controlled administrative roles.
- Require documented change control for production or critical volumes, including automation changes.
- Monitor configuration drift for important volumes and alert when changes do not match approved policy.
- Include volume modification evidence in incident response collection plans and compliance evidence procedures.
Analyst notes and limits
This object is a data component, not a technique. It is useful for deciding whether the organization has the evidence needed to detect, investigate, and govern cloud volume changes. The only concrete example supplied by ATT&CK is AWS modify-volume, so broader cloud-provider applicability should be validated against the local environment and log sources.
No ATT&CK tactics, platforms, relationships, or official detection guidance were supplied. This take therefore does not infer adversary intent, active exploitation, affected providers beyond the supplied cloud-volume description and AWS example, or guaranteed detection outcomes.
Volume Modification
Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 33da018c805e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0092Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.