<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Elastic Block Store (EBS) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/elastic-block-store-ebs/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 18:25:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/elastic-block-store-ebs/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS EBS Encryption Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-aws-ebs-encryption-disabled/</link><pubDate>Tue, 09 Jan 2024 18:25:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-aws-ebs-encryption-disabled/</guid><description>Detects when Amazon Elastic Block Store (EBS) encryption by default is disabled in an AWS region, potentially leading to data exposure and weakening data protection against exfiltration or ransomware.</description><content:encoded><![CDATA[<p>This detection identifies instances where Amazon Elastic Block Store (EBS) encryption by default is disabled within an AWS region. The default encryption ensures that all new EBS volumes and snapshots are automatically encrypted, protecting data at rest. Disabling this setting, detected via CloudTrail logs, introduces a significant security risk.  Attackers may disable encryption to weaken data protection measures before initiating data exfiltration or tampering with EBS volumes and snapshots. This action can serve as a precursor to data theft or ransomware attacks, as unencrypted volumes are easier to compromise. The rule focuses on the <code>DisableEbsEncryptionByDefault</code> event logged by CloudTrail when this configuration change occurs. Elastic has released this rule as part of their detection ruleset on 2026-04-10.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.</li>
<li>The attacker uses the AWS CLI or API to execute the <code>DisableEbsEncryptionByDefault</code> command, targeting a specific AWS region.</li>
<li>CloudTrail logs the <code>DisableEbsEncryptionByDefault</code> event, indicating that default EBS encryption has been disabled.</li>
<li>The attacker creates new EBS volumes within the affected region, which are now unencrypted by default.</li>
<li>Sensitive data is stored on these newly created, unencrypted EBS volumes.</li>
<li>The attacker exfiltrates the data from the unencrypted EBS volumes to an external location.</li>
<li>Alternatively, the attacker might deploy ransomware on instances using the unencrypted volumes, encrypting the data and demanding a ransom.</li>
<li>The attacker covers their tracks by deleting or modifying CloudTrail logs, if possible, to hide their activity.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Disabling EBS encryption by default can lead to the creation of unencrypted EBS volumes, exposing sensitive data at rest. A successful attack could result in data theft, data loss, or a ransomware incident. The severity depends on the type and amount of data stored on the affected volumes. Organizations in regulated industries may face compliance violations if sensitive data is stored without encryption. This could potentially impact hundreds or thousands of EBS volumes depending on the period the encryption was disabled.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule provided in this brief to detect instances of <code>DisableEbsEncryptionByDefault</code> in your AWS environment, leveraging CloudTrail logs.</li>
<li>Review IAM policies to restrict the <code>ec2:DisableEbsEncryptionByDefault</code> permission to only authorized administrators.</li>
<li>Enable AWS Config rules and Security Hub controls related to EBS encryption (<code>ec2-ebs-encryption-by-default-enabled</code>) to continuously monitor this setting, per the overview.</li>
<li>After detection, use the investigation steps in the original Elastic rule to identify affected resources and remediate the misconfiguration.</li>
<li>Enable organization-level service control policies (SCPs) to prevent future disabling of encryption-by-default across accounts, as per the original rule documentation.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>ebs</category><category>encryption</category><category>cloudtrail</category></item></channel></rss>