Default EBS encryption disabled
Description
AlphaSOC detected activity indicating Amazon Elastic Block Store (EBS) volume default encryption was disabled. The alert is triggered by a successful user-initiated attempt to disable default EBS encryption, which removes a critical security control that automatically encrypts EBS volumes and snapshots, including data at rest and in transit. This action may indicate that the threat actor is attempting to facilitate data exfiltration or prepare for further malicious activity within the cloud environment.
Impact
Disabling default encryption can expose sensitive data and violate security best practices for cloud environments. Unencrypted EBS volumes can be accessed if compromised, potentially leading to data breaches and compliance violations.
Severity
Severity | Condition |
---|---|
Low | Disabled default EBS encryption detected |
Investigation and Remediation
Investigate the AWS account and user responsible for disabling default EBS encryption. Review CloudTrail logs to identify the specific API calls and any surrounding suspicious activities. Re-enable default EBS encryption immediately and audit existing unencrypted volumes. Rotate any potentially compromised access keys.
Known False Positives
- An administrator temporarily disabled encryption for testing or troubleshooting purposes
- The change was part of a planned migration or data transfer process
- A system glitch or AWS service issue temporarily affected the encryption status reporting