rules/cloud/aws/aws_ec2_disable_encryption.yml

title: AWS EC2 Disable EBS Encryption
id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223
status: stable
description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
author: Sittikorn S
date: 2021/06/29
modified: 2021/08/20
references:
    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
tags:
    - attack.impact
    - attack.t1486
    - attack.t1565
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: ec2.amazonaws.com
        eventName: DisableEbsEncryptionByDefault
    condition: selection
falsepositives:
    - System Administrator Activities
    - DEV, UAT, SAT environment. You should apply this rule with PROD account only.
level: medium
Create aws_ec2_disable_encryption.yml 2021-06-29 11:06:00 +07:00			`title: AWS EC2 Disable EBS Encryption`
			`id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223`
			`status: stable`
			`description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.`
			`author: Sittikorn S`
			`date: 2021/06/29`
Update AWS CloudTrail rules 2021-08-20 13:43:00 +01:00			`modified: 2021/08/20`
Create aws_ec2_disable_encryption.yml 2021-06-29 11:06:00 +07:00			`references:`
			`- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html`
			`tags:`
			`- attack.impact`
			`- attack.t1486`
			`- attack.t1565`
			`logsource:`
$frack113$ Add product aws 2021-11-14 09:56:59 +01:00			`product: aws`
Create aws_ec2_disable_encryption.yml 2021-06-29 11:06:00 +07:00			`service: cloudtrail`
			`detection:`
			`selection:`
			`eventSource: ec2.amazonaws.com`
$frack113$ split PR 1802 fix rules 2021-08-09 15:41:40 +02:00			`eventName: DisableEbsEncryptionByDefault`
Create aws_ec2_disable_encryption.yml 2021-06-29 11:06:00 +07:00			`condition: selection`
			`falsepositives:`
			`- System Administrator Activities`
			`- DEV, UAT, SAT environment. You should apply this rule with PROD account only.`
Update aws_ec2_disable_encryption.yml 2021-06-29 18:05:25 +07:00			`level: medium`