turbot/tailpipe-mod-aws-cloudtrail-log-detections

Detection: EBS Encryption by Default Disabled

Overview

Detect when Amazon Elastic Block Store (EBS) encryption by default was disabled in a region. Disabling default encryption increases the risk of unencrypted volumes being created inadvertently, exposing sensitive data to unauthorized access. Enabling default encryption simplifies management and ensures data at rest is consistently protected.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_cloudtrail_log_detections.detection.ebs_encryption_by_default_disabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_cloudtrail_log_detections.detection.ebs_encryption_by_default_disabled --share

SQL

This detection uses a named query:

select
tp_timestamp as timestamp,
string_split(event_source, '.')[1] || ':' || event_name as operation,
aws_region as resource,
user_identity.arn as actor,
tp_source_ip as source_ip,
tp_index as account_id,
aws_region as region,
tp_id as source_id,
*
from
aws_cloudtrail_log
where
event_source = 'ec2.amazonaws.com'
and event_name = 'DisableEbsEncryptionByDefault'
and error_code is null
order by
event_time desc;

Tags