This rule identifies when the default encryption for Amazon Elastic Block Store (EBS) is disabled within AWS EC2 environments. The disabling of default encryption represents a potential security risk, as it allows volumes created subsequently to exist without encryption unless specifically set. The rule does not affect existing volumes, which retain their encryption state. The detection mechanism relies on AWS CloudTrail logs to monitor API calls made to EC2 for disabling the EBS encryption. Furthermore, it suggests verifying any changes made to confirm if the action was intentional and to review the status of EBS volumes created post-change. The rule is classified as a medium severity item due to the risk associated with unencrypted data storage in cloud environments.