Detection rules › Panther
AWS EC2 Volume Snapshot Encryption
You can encrypt the snapshot of an EC2 volume to protect against accidental data loss
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Collection | T1530 Data from Cloud Storage |
Rule body yaml
AnalysisType: policy
Filename: aws_ec2_volume_snapshot_encrypted.py
PolicyID: "AWS.EC2.Volume.Snapshot.Encrypted"
DisplayName: "AWS EC2 Volume Snapshot Encryption"
Enabled: true
ResourceTypes:
- AWS.EC2.Volume
Tags:
- AWS
- Panther
- Collection:Data From Cloud Storage Object
Reports:
MITRE ATT&CK:
- TA0009:T1530
Severity: High
Description: >
You can encrypt the snapshot of an EC2 volume to protect against accidental data loss
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-ec2-volume-is-encrypted
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Tests:
- Name: Volume Snapshot Encrypted
ExpectedResult: true
Resource:
{
"AccountId": "123456789012",
"Region": "ap-southeast-2",
"ARN": "arn:aws:ec2:ap-southeast-2:123456789012:volume/vol-aaabbbccc123123",
"ID": "vol-aaabbbccc123123",
"Tags": {},
"ResourceID": "arn:aws:ec2:ap-southeast-2:123456789012:volume/vol-aaabbbccc123123",
"ResourceType": "AWS.EC2.Volume",
"TimeCreated": "2019-04-02T17:16:30.000Z",
"Attachments":
[
{
"AttachTime": "2019-04-02T17:16:30Z",
"DeleteOnTermination": true,
"Device": "/dev/sda1",
"InstanceId": "instance-aabbcc123",
"State": "attached",
"VolumeId": "vol-aaabbbccc123123",
},
],
"AvailabilityZone": "us-west-2b",
"Encrypted": true,
"Iops": 100,
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",
"Size": 10,
"SnapshotId": "snap-abcdefg012345",
"State": "in-use",
"VolumeId": "vol-aaabbbccc123123",
"VolumeType": "gp2",
"Snapshots":
[
{
"DataEncryptionKeyId": null,
"Description": "Copied for destinationAmi...",
"Encrypted": true,
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",
"OwnerAlias": null,
"OwnerId": "123456789012",
"Progress": "100%",
"SnapshotId": "snapshot-aaabbbccc123123",
"StartTime": "2019-04-02T17:16:30Z",
"State": "completed",
"StateMessage": null,
"Tags": null,
"VolumeId": "vol-aaabbbccc123123",
"VolumeSize": 16,
"CreateVolumePermissions":
[{ "Group": "GroupName", "UserId": "user-123" }],
},
{
"DataEncryptionKeyId": null,
"Description": "In progress, unencrypted",
"Encrypted": false,
"KmsKeyId": null,
"OwnerAlias": null,
"OwnerId": "123456789012",
"Progress": "80%",
"SnapshotId": "snapshot-aaabbbccc123123",
"StartTime": "2019-04-02T17:16:30Z",
"State": "in-progress",
"StateMessage": null,
"Tags": null,
"VolumeId": "vol-aaabbbccc123123",
"VolumeSize": 16,
"CreateVolumePermissions":
[{ "Group": "GroupName", "UserId": "user-123" }],
},
],
}
- Name: Volume Snapshot Not Encrypted
ExpectedResult: false
Resource:
{
"AccountId": "123456789012",
"Region": "ap-southeast-2",
"ARN": "arn:aws:ec2:ap-southeast-2:123456789012:volume/vol-aaabbbccc123123",
"ID": "vol-aaabbbccc123123",
"Tags": {},
"ResourceID": "arn:aws:ec2:ap-southeast-2:123456789012:volume/vol-aaabbbccc123123",
"ResourceType": "AWS.EC2.Volume",
"TimeCreated": "2019-04-02T17:16:30.000Z",
"Attachments":
[
{
"AttachTime": "2019-04-02T17:16:30Z",
"DeleteOnTermination": true,
"Device": "/dev/sda1",
"InstanceId": "instance-aabbcc123",
"State": "attached",
"VolumeId": "vol-aaabbbccc123123",
},
],
"AvailabilityZone": "us-west-2b",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 10,
"SnapshotId": "snap-abcdefg012345",
"State": "in-use",
"VolumeId": "vol-aaabbbccc123123",
"VolumeType": "gp2",
"Snapshots":
[
{
"DataEncryptionKeyId": null,
"Description": "Copied for destinationAmi...",
"Encrypted": false,
"KmsKeyId": null,
"OwnerAlias": null,
"OwnerId": "123456789012",
"Progress": "100%",
"SnapshotId": "snapshot-aaabbbccc123123",
"StartTime": "2019-04-02T17:16:30Z",
"State": "completed",
"StateMessage": null,
"Tags": null,
"VolumeId": "vol-aaabbbccc123123",
"VolumeSize": 16,
"CreateVolumePermissions":
[{ "Group": "GroupName", "UserId": "user-123" }],
},
{
"DataEncryptionKeyId": null,
"Description": "Copied for destinationAmi...",
"Encrypted": true,
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",
"OwnerAlias": null,
"OwnerId": "123456789012",
"Progress": "100%",
"SnapshotId": "snapshot-aaabbbccc123123",
"StartTime": "2019-04-02T17:16:30Z",
"State": "completed",
"StateMessage": null,
"Tags": null,
"VolumeId": "vol-aaabbbccc123123",
"VolumeSize": 16,
"CreateVolumePermissions":
[{ "Group": "GroupName", "UserId": "user-123" }],
},
],
}
- Name: No Snapshots
ExpectedResult: true
Resource:
{
"AccountId": "123456789012",
"Region": "ap-southeast-2",
"ARN": "arn:aws:ec2:ap-southeast-2:123456789012:volume/vol-aaabbbccc123123",
"ID": "vol-aaabbbccc123123",
"Tags": {},
"ResourceID": "arn:aws:ec2:ap-southeast-2:123456789012:volume/vol-aaabbbccc123123",
"ResourceType": "AWS.EC2.Volume",
"TimeCreated": "2019-04-02T17:16:30.000Z",
"Attachments":
[
{
"AttachTime": "2019-04-02T17:16:30Z",
"DeleteOnTermination": true,
"Device": "/dev/sda1",
"InstanceId": "instance-aabbcc123",
"State": "attached",
"VolumeId": "vol-aaabbbccc123123",
},
],
"AvailabilityZone": "us-west-2b",
"Encrypted": false,
"Iops": 100,
"KmsKeyId": null,
"Size": 10,
"SnapshotId": "snap-abcdefg012345",
"State": "in-use",
"VolumeId": "vol-aaabbbccc123123",
"VolumeType": "gp2",
"Snapshots": null,
}
Detection logic
Condition
not not