AWS Suspect Public RDS Change

AWS Suspect Public RDS Change

Detection overview

Triggers

  • An AWS control-plane API was invoked which modified the attributes of a RDS snapshot granting either an unknown, external account or the public the ability to restore a RDS database from the snapshot.

Possible Root Causes

  • An attacker may be exfiltrating data contained in the RDS database by sharing a snapshot externally.
  • An authorized administrator may be performing backup or disaster recovery activities or sharing snapshots in order to coordinate troubleshooting efforts.

Business Impact

  • Exfiltration of RDS database snapshots by an attacker may expose details that support further attack progression. An impacted organization may incur data loss, impacting the confidentiality of sensitive information contained in the impacted RDS database.

Steps to Verify

  • Investigate the Principal that performed the actions for other signs of malicious activity.
  • Investigate for potential data loss.
  • Validate that any modifications to snapshot attributes are authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration:
    - Revert any configuration changes.
    - Disable credentials associated with this alert.
    - Perform a comprehensive investigation to determine initial compromise and scope of impacted resources.
AWS Suspect Public RDS Change

Possible root causes

Malicious Detection

Benign Detection

AWS Suspect Public RDS Change

Example scenarios

AWS Suspect Public RDS Change

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

AWS Suspect Public RDS Change

Steps to investigate

AWS Suspect Public RDS Change

MITRE ATT&CK techniques covered

AWS Suspect Public RDS Change

Related detections

No items found.

FAQs