security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/rules/cloud/aws/aws_ec2_disable_encryption.yml
T
frack113 b293372913 Add product aws
2021-11-14 09:56:59 +01:00

26 lines
876 B
YAML
Raw Blame History

title: AWS EC2 Disable EBS Encryption
id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223
status: stable
description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
author: Sittikorn S
date: 2021/06/29
modified: 2021/08/20
references:
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
tags:
- attack.impact
- attack.t1486
- attack.t1565
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: ec2.amazonaws.com
eventName: DisableEbsEncryptionByDefault
condition: selection
falsepositives:
- System Administrator Activities
- DEV, UAT, SAT environment. You should apply this rule with PROD account only.
level: medium
Reference in New Issue View Git Blame Copy Permalink