AWS RDS DB Instance Made Public
An attacker with compromised AWS credentials may modify an Amazon RDS DB instance or cluster to be publicly accessible for persistence, data exfiltration, or to bypass network restrictions.
This detection identifies the creation or modification of an Amazon RDS DB instance or cluster with the publiclyAccessible attribute set to true. While legitimate use cases exist, unexpected public exposure of a database to the internet introduces significant security risks. An adversary with access to AWS credentials might modify a DB instance's public accessibility to exfiltrate data, establish persistence, or bypass internal network restrictions. The rule focuses on ModifyDBInstance, CreateDBInstance, and CreateDBCluster events within AWS CloudTrail logs. Defenders should investigate any unexpected changes to RDS instance accessibility. This activity can indicate compromised credentials or insider threats, and might be correlated with other IAM and network configuration changes to assess the overall impact.
Attack Chain
- An attacker gains unauthorized access to AWS credentials (e.g., via phishing or credential stuffing).
- The attacker uses the compromised credentials to authenticate to the AWS Management Console or via the AWS CLI/API.
- The attacker identifies a target RDS DB instance or cluster.
- The attacker executes a
ModifyDBInstanceAPI call, setting thePubliclyAccessibleparameter totruein therequest_parameters. - Alternatively, the attacker executes a
CreateDBInstanceorCreateDBClusterAPI call with thePubliclyAccessibleparameter set totrue. - The attacker modifies associated security groups using
AuthorizeSecurityGroupIngressto allow inbound traffic from0.0.0.0/0or other broad IP ranges. - The now publicly accessible RDS instance is used to exfiltrate data or as a pivot point to attack other internal resources.
- The attacker leverages the publicly exposed database for persistent access and further reconnaissance.
Impact
If an attacker successfully makes an RDS DB instance publicly accessible, they can potentially exfiltrate sensitive data, pivot to other internal resources, or establish persistent access to the environment. The number of affected instances depends on the scope of the credential compromise. Sectors that heavily rely on cloud infrastructure, such as finance, healthcare, and technology, are at higher risk. The impact can range from data breaches and compliance violations to significant financial losses and reputational damage.
Recommendation
- Deploy the Sigma rule "AWS RDS DB Instance Made Public" to your SIEM using
filebeat-*andlogs-aws.cloudtrail-*indices to detect modifications to RDS instance accessibility. - Review
aws.cloudtrail.user_identity.arnandaws.cloudtrail.user_identity.typein the SIEM to identify the IAM principal that made the change and validate its legitimacy. - Monitor for
AuthorizeSecurityGroupIngressevents in CloudTrail logs that allow inbound traffic from0.0.0.0/0to associated security groups of RDS instances. - Implement AWS Config rules (e.g.,
rds-instance-public-access-check) to automatically detect and remediate publicly accessible RDS instances. - Enforce Service Control Policies (SCPs) to prevent the creation of publicly accessible RDS instances.
- Refer to the provided AWS IR Playbooks and AWS Customer Playbook Framework documentation for incident response guidance.
Detection coverage 2
AWS RDS Instance Publicly Accessible via ModifyDBInstance
mediumDetects when an Amazon RDS DB instance is modified to be publicly accessible.
AWS RDS Instance Created as Publicly Accessible
mediumDetects when an Amazon RDS DB instance or cluster is created with public accessibility enabled.
Detection queries are available on the platform. Get full rules →