Skip to main content

Default EBS encryption disabled

ID:aws_ebs_encryption_disabled
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0005:T1600

Description

AlphaSOC detected activity indicating Amazon Elastic Block Store (EBS) volume default encryption was disabled. The alert is triggered by a successful user-initiated attempt to disable default EBS encryption, which removes a critical security control that automatically encrypts EBS volumes and snapshots, including data at rest and in transit. This action may indicate that the threat actor is attempting to facilitate data exfiltration or prepare for further malicious activity within the cloud environment.

Impact

Disabling default encryption can expose sensitive data and violate security best practices for cloud environments. Unencrypted EBS volumes can be accessed if compromised, potentially leading to data breaches and compliance violations.

Severity

SeverityCondition
Low
Disabled default EBS encryption detected

Investigation and Remediation

Investigate the AWS account and user responsible for disabling default EBS encryption. Review CloudTrail logs to identify the specific API calls and any surrounding suspicious activities. Re-enable default EBS encryption immediately and audit existing unencrypted volumes. Rotate any potentially compromised access keys.

Known False Positives

  • An administrator temporarily disabled encryption for testing or troubleshooting purposes
  • The change was part of a planned migration or data transfer process
  • A system glitch or AWS service issue temporarily affected the encryption status reporting