AWS EC2 Encryption Disabled

Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/06/05"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling
 11encryption by default does not change the encryption status of your existing volumes.
 12"""
 13false_positives = [
 14    """
 15    Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent,
 16    and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts
 17    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 18    """,
 19]
 20from = "now-60m"
 21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 22interval = "10m"
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS EC2 Encryption Disabled"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating AWS EC2 Encryption Disabled
 32
 33Amazon EC2's EBS encryption ensures data at rest is secure by default. Disabling this feature can expose sensitive data, making it vulnerable to unauthorized access. Adversaries might exploit this by disabling encryption to access or manipulate data without detection. The detection rule monitors CloudTrail logs for successful attempts to disable EBS encryption, alerting security teams to potential misuse.
 34
 35### Possible investigation steps
 36
 37- Review the CloudTrail logs for the specific event.action: DisableEbsEncryptionByDefault to identify the user or role that initiated the action.
 38- Check the event.provider: ec2.amazonaws.com logs to gather additional context about the environment and any related activities around the time of the event.
 39- Investigate the IAM policies and permissions associated with the user or role to determine if they have the necessary permissions to disable EBS encryption and if those permissions are appropriate.
 40- Assess the event.outcome: success to confirm that the action was completed successfully and identify any subsequent actions taken by the same user or role.
 41- Examine the AWS account's security settings and configurations to ensure that no other security features have been altered or disabled.
 42- Contact the user or team responsible for the action to understand the rationale behind disabling EBS encryption and verify if it aligns with organizational policies.
 43
 44### False positive analysis
 45
 46- Routine administrative actions may trigger alerts if encryption is disabled for testing or configuration purposes. To manage this, create exceptions for specific IAM roles or users known to perform these tasks regularly.
 47- Automated scripts or tools that disable encryption for specific workflows might cause false positives. Identify these scripts and exclude their associated actions from triggering alerts by using specific tags or identifiers.
 48- Changes in regional settings or policies that temporarily disable encryption could be misinterpreted as threats. Monitor these changes and adjust the detection rule to account for legitimate policy updates.
 49- Scheduled maintenance or updates that require temporary encryption disabling should be documented and excluded from alerts by setting time-based exceptions during known maintenance windows.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected EC2 instances to prevent further unauthorized access or data manipulation. This can be done by modifying security group rules or network ACLs to restrict access.
 54- Re-enable EBS encryption by default in the affected region to ensure that all new volumes are encrypted. This can be done through the AWS Management Console or AWS CLI.
 55- Conduct a thorough review of recent changes in the AWS environment to identify any unauthorized modifications or access patterns. Focus on CloudTrail logs for any suspicious activity related to EBS encryption settings.
 56- Notify the security operations team and relevant stakeholders about the incident, providing them with details of the alert and any initial findings.
 57- Implement additional monitoring and alerting for any future attempts to disable EBS encryption by default, ensuring that security teams are promptly notified of similar activities.
 58- Review and update IAM policies to ensure that only authorized personnel have the necessary permissions to modify EBS encryption settings, reducing the risk of accidental or malicious changes.
 59- If any data manipulation is detected, initiate data recovery procedures to restore affected data from backups, ensuring data integrity and availability.
 60
 61## Setup
 62
 63The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 64references = [
 65    "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html",
 66    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html",
 67    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html",
 68]
 69risk_score = 47
 70rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69"
 71severity = "medium"
 72tags = [
 73    "Domain: Cloud",
 74    "Data Source: AWS",
 75    "Data Source: Amazon Web Services",
 76    "Data Source: AWS EC2",
 77    "Tactic: Impact",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "query"
 82
 83query = '''
 84event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success
 85'''
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1565"
 92name = "Data Manipulation"
 93reference = "https://attack.mitre.org/techniques/T1565/"
 94[[rule.threat.technique.subtechnique]]
 95id = "T1565.001"
 96name = "Stored Data Manipulation"
 97reference = "https://attack.mitre.org/techniques/T1565/001/"
 98
 99
100
101[rule.threat.tactic]
102id = "TA0040"
103name = "Impact"
104reference = "https://attack.mitre.org/tactics/TA0040/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Amazon EC2's EBS encryption ensures data at rest is secure by default. Disabling this feature can expose sensitive data, making it vulnerable to unauthorized access. Adversaries might exploit this by disabling encryption to access or manipulate data without detection. The detection rule monitors CloudTrail logs for successful attempts to disable EBS encryption, alerting security teams to potential misuse.

  • Review the CloudTrail logs for the specific event.action: DisableEbsEncryptionByDefault to identify the user or role that initiated the action.
  • Check the event.provider: ec2.amazonaws.com logs to gather additional context about the environment and any related activities around the time of the event.
  • Investigate the IAM policies and permissions associated with the user or role to determine if they have the necessary permissions to disable EBS encryption and if those permissions are appropriate.
  • Assess the event.outcome: success to confirm that the action was completed successfully and identify any subsequent actions taken by the same user or role.
  • Examine the AWS account's security settings and configurations to ensure that no other security features have been altered or disabled.
  • Contact the user or team responsible for the action to understand the rationale behind disabling EBS encryption and verify if it aligns with organizational policies.
  • Routine administrative actions may trigger alerts if encryption is disabled for testing or configuration purposes. To manage this, create exceptions for specific IAM roles or users known to perform these tasks regularly.
  • Automated scripts or tools that disable encryption for specific workflows might cause false positives. Identify these scripts and exclude their associated actions from triggering alerts by using specific tags or identifiers.
  • Changes in regional settings or policies that temporarily disable encryption could be misinterpreted as threats. Monitor these changes and adjust the detection rule to account for legitimate policy updates.
  • Scheduled maintenance or updates that require temporary encryption disabling should be documented and excluded from alerts by setting time-based exceptions during known maintenance windows.
  • Immediately isolate the affected EC2 instances to prevent further unauthorized access or data manipulation. This can be done by modifying security group rules or network ACLs to restrict access.
  • Re-enable EBS encryption by default in the affected region to ensure that all new volumes are encrypted. This can be done through the AWS Management Console or AWS CLI.
  • Conduct a thorough review of recent changes in the AWS environment to identify any unauthorized modifications or access patterns. Focus on CloudTrail logs for any suspicious activity related to EBS encryption settings.
  • Notify the security operations team and relevant stakeholders about the incident, providing them with details of the alert and any initial findings.
  • Implement additional monitoring and alerting for any future attempts to disable EBS encryption by default, ensuring that security teams are promptly notified of similar activities.
  • Review and update IAM policies to ensure that only authorized personnel have the necessary permissions to modify EBS encryption settings, reducing the risk of accidental or malicious changes.
  • If any data manipulation is detected, initiate data recovery procedures to restore affected data from backups, ensuring data integrity and availability.

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top