Quick Start Security for Amazon Elastic Block Storage (EBS)
Thank you!
We got your information.
Coralogix Extension For Amazon Elastic Block Storage (EBS) Includes:
Alerts - 4
Stay on top of Amazon Elastic Block Storage (EBS) key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Amazon EBS - Default encryption disabled
This alert triggers when an EBS encryption is disabled by default. Impact Disabling default EBS encryption means that newly created EBS volumes will no longer be automatically encrypted. This can potentially expose sensitive data, leading to data breaches or non-compliance with security standards. Mitigation - Determine which user in your organization owns the API key that made this API call. - Contact the user and let them know that it is best practice to enable EBS encryption by default. - Re-enable EBS encryption by default. MITRE Tactic: TA0005 MITRE Technique: T1600
Amazon EBS - Volume created without Encryption-at-Rest
This alert triggers when AWS EBS volume is created without enabling the encryption. Impact Without encryption, sensitive data stored on the EBS volume can be vulnerable to unauthorized access or data breaches. Mitigation Verify that the volume was authorized to be created without encryption. If not, investigate further. Note that when creating an EBS volume, you can choose the option to enable encryption. AWS provides options for both server-side encryption with AWS-managed keys (AWS KMS) or customer-managed keys (CMKs). MITRE Tactic: TA0009 MITRE Technique: T1530
Amazon EBS - Snapshot made public
This alert triggers when an EBS snapshot is made public. EBS Snapshots are a point-in-time copy of your data. Impact Making an EBS snapshot public means that anyone with the snapshot's URL can access and potentially download its contents. This can lead to unauthorized access to sensitive data, which can result in data breaches or privacy violations. Mitigation - Determine if the EBS snapshot should be made public. - Determine which user made the EBS snapshot public. - Contact the user to see if they intended to make the EBS snapshot public. If the user did not make the API call: - Rotate the credentials. - Investigate if the same credentials made other unauthorized API calls. - Revert AMI permissions to the original state. - Begin your company’s IR process and investigate. MITRE Tactic: TA0005 MITRE Technique: T1578
Amazon EBS - Unencrypted Snapshot Created
This alert triggers when an unencrypted snapshot of an EBS volume is created. Impact Unencrypted snapshots can expose sensitive data stored on the EBS volume, making it vulnerable to unauthorized access or data breaches. This can result in confidential information falling into the wrong hands. Mitigation Verify that the snapshot was authorized to be created without encryption. If not, investigate further. Note that when creating a snapshot, choose the option to enable encryption. AWS provides options for both server-side encryption with AWS-managed keys (AWS KMS) or customer-managed keys (CMKs). By encrypting your snapshots, you add an additional layer of security to protect your data. MITRE Tactic: TA0009 MITRE Technique: T1530
Integration
Learn more about Coralogix's out-of-the-box integration with Amazon Elastic Block Storage (EBS) in our documentation.