LoFP / dev, uat, sat environment. you should apply this rule with prod account only.

Techniques

• t1486
• t1565

Sample rules

AWS EC2 Disable EBS Encryption

• source: sigma
• technicques:
  • t1486
  • t1565

Description

Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.

Detection logic

condition: selection
selection:
  eventName: DisableEbsEncryptionByDefault
  eventSource: ec2.amazonaws.com