AWS RDS DB Instance or Cluster Deletion Protection Disabled
An adversary may disable deletion protection on an AWS RDS DB instance or cluster as a precursor to destructive actions, such as deleting databases containing sensitive data.
This alert identifies instances where the deletionProtection feature of an AWS RDS DB instance or cluster is disabled. Deletion protection is a security mechanism that prevents accidental or unauthorized deletion of RDS resources. An adversary with sufficient permissions within a compromised AWS environment may disable this protection to pave the way for destructive activities, including the deletion of databases that hold sensitive or business-critical information. The detection focuses on explicit modifications setting deletionProtection to false on RDS DB instances or clusters. This activity is often a precursor to a DeleteDBInstance or DeleteDBCluster action.
Attack Chain
- The adversary gains access to an AWS account with sufficient privileges to modify RDS instances or clusters, potentially through compromised credentials or an insider threat.
- The attacker authenticates to the AWS Management Console, CLI, or API using the compromised credentials or assumed role.
- The attacker uses the
ModifyDBInstanceorModifyDBClusterAPI call to target a specific RDS DB instance or cluster. - Within the
ModifyDBInstanceorModifyDBClusterAPI call, the attacker sets thedeletionProtectionparameter tofalse. - AWS CloudTrail logs the
ModifyDBInstanceorModifyDBClusterevent withdeletionProtection=falsein therequestParameters. - The attacker may then initiate a
DeleteDBInstanceorDeleteDBClusterAPI call to remove the targeted RDS resource. - The database instance or cluster is deleted, resulting in data loss and potential disruption of services.
Impact
Disabling deletion protection on AWS RDS instances or clusters can lead to the unauthorized or accidental deletion of critical databases. Successful execution of this attack can result in significant data loss, business disruption, and potential financial repercussions. The impact can range from temporary service outages to permanent data loss, depending on the affected systems and backup policies.
Recommendation
- Deploy the Sigma rule
AWS RDS Deletion Protection Disabled via CloudTrailto your SIEM and tune for your environment to detect when deletion protection is disabled (refer to the rule definition below). - Review
aws.cloudtrail.user_identity.arnto determine the IAM principal that made the change, and validate whether this principal normally performs RDS lifecycle operations as outlined in the investigation guide. - Immediately re-enable deletion protection (
deletionProtection=true) on the affected DB instance or cluster if the change was unauthorized, as described in the remediation steps in the overview. - Restrict who can modify
ModifyDBInstanceorModifyDBClusterdestructive settings, such as deletion protection, backup retention, and public accessibility.
Detection coverage 2
AWS RDS Deletion Protection Disabled via CloudTrail
mediumDetects when deletion protection is disabled on an AWS RDS DB instance or cluster via CloudTrail logs.
AWS RDS Instance Deletion via CloudTrail
highDetects when an AWS RDS DB instance is deleted via CloudTrail logs.
Detection queries are available on the platform. Get full rules →