Query: EBS Snapshot Shared Publicly

select
  tp_timestamp as timestamp,
  string_split(event_source, '.') [ 1 ] || ':' || event_name as operation,
  request_parameters ->> 'snapshotId' as resource,
  user_identity.arn as actor,
  tp_source_ip as source_ip,
  tp_index as account_id,
  aws_region as region,
  tp_id as source_id,
  *
from
  aws_cloudtrail_log
where
  event_source = 'ec2.amazonaws.com'
  and event_name = 'ModifySnapshotAttribute'
  and json_contains(
    (
      request_parameters -> 'createVolumePermission' -> 'add' -> 'items'
    ),
    '{"group": "all"}'
  )
  and error_code is null
order by
  event_time desc;