valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
bda207660d
SigmaHQ/rules/cloud/aws_ec2_disable_encryption.yml
Sittikorn S 9ae8fedff3
Update aws_ec2_disable_encryption.yml
2021-06-29 18:05:25 +07:00

26 lines
874 B
YAML
Raw Blame History

title: AWS EC2 Disable EBS Encryption
id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223
status: stable
description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
author: Sittikorn S
date: 2021/06/29
references:
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
tags:
- attack.impact
- attack.t1486
- attack.t1565
logsource:
service: cloudtrail
detection:
selection:
eventSource: ec2.amazonaws.com
eventName:
- DisableEbsEncryptionByDefault
status: success
condition: selection
falsepositives:
- System Administrator Activities
- DEV, UAT, SAT environment. You should apply this rule with PROD account only.
level: medium
Reference in New Issue View Git Blame Copy Permalink