AWS RDS DB Instance Restored for Defense Evasion or Data Collection
Detection of AWS RDS database instance restoration from a snapshot or S3 backup, potentially indicating unauthorized data access, defense evasion, or data collection by adversaries recreating database environments to bypass controls or exfiltrate sensitive data.
This rule detects the restoration of an AWS RDS database instance, a technique that can be abused by adversaries for defense evasion or data collection. Attackers may restore databases from snapshots or S3 backups to bypass logging and monitoring, create shadow environments for data exfiltration, or access older data. The activity is triggered by the successful execution of RestoreDBInstanceFromDBSnapshot or RestoreDBInstanceFromS3 events within AWS CloudTrail logs. Defenders should monitor for unexpected RDS restores to identify potential malicious activity and data compromise. This activity can occur post-compromise after an attacker gains access to AWS credentials with sufficient privileges to manage RDS instances.
Attack Chain
- An attacker gains access to an AWS account through compromised credentials or privilege escalation.
- The attacker enumerates available RDS snapshots and S3 backups using AWS CLI or API calls (
DescribeDBSnapshots,DescribeDBInstances). - The attacker identifies a target RDS database instance containing sensitive data.
- The attacker initiates a
RestoreDBInstanceFromDBSnapshotorRestoreDBInstanceFromS3operation to create a new RDS instance from a snapshot or backup. - A new RDS instance is created with the data from the snapshot or backup.
- The attacker accesses the restored database instance, bypassing monitoring on the original instance.
- The attacker exfiltrates sensitive data from the restored instance.
- The attacker may attempt to delete the restored instance and snapshots to remove traces of their activity.
Impact
Successful exploitation allows attackers to bypass existing security controls and gain unauthorized access to sensitive data stored within the RDS database. This can lead to data breaches, financial loss, and reputational damage. If the attacker gains access to a production database copy, the impact can be significant, potentially affecting thousands of users. The sectors most likely impacted include those that rely heavily on cloud-based database solutions, such as finance, healthcare, and technology.
Recommendation
- Deploy the Sigma rule "AWS RDS DB Instance Restored" to your SIEM, tuned for your specific environment, to detect unauthorized RDS instance restorations.
- Enforce least privilege for
rds:RestoreDBInstanceFromDBSnapshotandrds:RestoreDBInstanceFromS3actions using IAM policies, restricting restore actions by network, principal, or region. - Enable AWS CloudTrail logging and monitor for unexpected RDS events, focusing on
RestoreDBInstanceFromDBSnapshotandRestoreDBInstanceFromS3actions. - Implement AWS Config and Security Hub controls for monitoring unapproved RDS restores and misconfigured restored instances.
- Investigate any alerts generated by the Sigma rule, focusing on the user identity, source IP, and the snapshot or S3 location used for the restore.
Detection coverage 3
AWS RDS DB Instance Restored
mediumDetects the restoration of an AWS RDS database instance from a snapshot or S3 backup.
AWS RDS Restore Request Parameters
mediumDetects RDS restore operations with unusual parameters like public accessibility or altered security groups.
AWS RDS Restore using unusual Access Key
mediumDetects AWS RDS restore operations using unusual or unknown access keys
Detection queries are available on the platform. Get full rules →