AWS EC2 Disable EBS Encryption

Oct 12, 2023 · attack.impact attack.t1486 attack.t1565 ·

Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.

Sigma rule (View on GitHub)

 1title: AWS EC2 Disable EBS Encryption
 2id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223
 3status: stable
 4description: |
 5  Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.
 6  Disabling default encryption does not change the encryption status of your existing volumes.  
 7references:
 8    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
 9author: Sittikorn S
10date: 2021/06/29
11modified: 2021/08/20
12tags:
13    - attack.impact
14    - attack.t1486
15    - attack.t1565
16logsource:
17    product: aws
18    service: cloudtrail
19detection:
20    selection:
21        eventSource: ec2.amazonaws.com
22        eventName: DisableEbsEncryptionByDefault
23    condition: selection
24falsepositives:
25    - System Administrator Activities
26    - DEV, UAT, SAT environment. You should apply this rule with PROD account only.
27level: medium

References

DisableEbsEncryptionByDefault - Amazon Elastic Compute Cloud

Disables EBS encryption by default for your account in the current Region.

Read More

AWS EC2 Disable EBS Encryption

Sigma rule (View on GitHub)

References

DisableEbsEncryptionByDefault - Amazon Elastic Compute Cloud

Related rules