|
Data Encrypted for Impact: EC2/EBS Data Encryption
AWS Specific Sub-Technique
Other sub-techniques of Data Encrypted for Impact (3)
| ID | Name |
|---|---|
| T1486.A002 | EC2/EBS Data Encryption |
| T1486.A003 | RDS Data Encryption |
| T1486.A001 | S3 Encryption - SSE-C Key Encryption |
A prerequisite for this technique is that a threat actor has already gained control of an AWS identity with the permissions to perform the actions in the AWS CloudTrail Event Name(s) section.
With access to an AWS identity that has the appropriate permissions, threat actors may manipulate the encryption settings of EBS volumes associated with Amazon EC2 instances. This can include modifying existing encryption keys, disabling encryption, or re-encrypting volumes with attacker-controlled keys. These actions can be performed to gain inappropriate access to sensitive data, perform data destruction, or as part of a ransom campaign.
With access to an AWS identity that has the appropriate permissions, threat actors may manipulate the encryption settings of EBS volumes associated with Amazon EC2 instances. This can include modifying existing encryption keys, disabling encryption, or re-encrypting volumes with attacker-controlled keys. These actions can be performed to gain inappropriate access to sensitive data, perform data destruction, or as part of a ransom campaign.
Detection
When this technique is used by the threat actor, actions taken to modify encryption settings will be logged in CloudTrail. You can use the Event history page in the AWS CloudTrail console to view the last 90 days of management events in your AWS Region for encryption-related events such as
A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. You can monitor for unexpected patterns of encryption-related API calls, especially those occurring outside of normal maintenance windows or from unexpected IAM principals. You can review these events using both the console and the AWS CLI.
It is also possible to create CloudWatch metric filters to monitor for specific encryption-related API calls and configure alerts when unusual patterns are detected.
ebs:CreateVolume with encryption parameters.A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. You can monitor for unexpected patterns of encryption-related API calls, especially those occurring outside of normal maintenance windows or from unexpected IAM principals. You can review these events using both the console and the AWS CLI.
It is also possible to create CloudWatch metric filters to monitor for specific encryption-related API calls and configure alerts when unusual patterns are detected.
Mitigation
Use AWS Config rules to monitor and remediate unencrypted volumes. You can use the managed rule encrypted-volumes to detect non-compliant volumes.
You can make sure that principals are scoped with the least-privileged permissions necessary to perform duties, limiting the ability to perform unauthorized actions in an AWS account when not required. One possible method of applying the principle of least-privileged permissions is to use Service Control Policies to restrict the maximum available permissions for the IAM users and IAM roles within your AWS Organizations accounts (note - you should test SCPs in a development environment before deploying them in production).
You can make sure that principals are scoped with the least-privileged permissions necessary to perform duties, limiting the ability to perform unauthorized actions in an AWS account when not required. One possible method of applying the principle of least-privileged permissions is to use Service Control Policies to restrict the maximum available permissions for the IAM users and IAM roles within your AWS Organizations accounts (note - you should test SCPs in a development environment before deploying them in production).