AWS EC2 Encryption Disabled | Elastic Security Solution [7.9]

The SIEM app is now a part of the Elastic Security solution. Click here to view SIEM documentation for previous releases.

› › ›

« AWS Configuration Recorder Stopped AWS EC2 Flow Log Deletion »

AWS EC2 Encryption Disablededit

Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.

Rule type: query

Rule indices:

filebeat-*

Severity: medium

Risk score: 47

Runs every: 10 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

AWS
Elastic
SecOps
Data Protection
Continuous Monitoring

Version: 1

Added (Elastic Stack release): 7.9.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If a known behavior is causing false positives, it can be excluded from the rule.

Investigation guideedit

The AWS Filebeat module must be enabled to use this rule.

Rule queryedit

event.action:DisableEbsEncryptionByDefault and
event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and
event.outcome:success

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
Technique:
- Name: Stored Data Manipulation
- ID: T1492
- Reference URL: https://attack.mitre.org/techniques/T1492/

« AWS Configuration Recorder Stopped AWS EC2 Flow Log Deletion »