{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-aurora/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon RDS","Amazon Aurora"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","rds","datadestruction"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThe deletion of Amazon RDS DB instances, Aurora clusters, or global database clusters can lead to permanent data loss and major service disruption. This activity is often carried out by adversaries who have gained sufficient permissions within an AWS environment. The motivation behind such actions can range from impeding recovery efforts following a ransomware attack, destroying critical evidence to hinder forensic investigations, or directly inflicting operational impact on the targeted environment. Defenders should be aware that these actions are irreversible without backups, making swift detection and validation essential to mitigate potential damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to the AWS environment, potentially through compromised credentials or an IAM role with excessive permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing RDS DB instances, Aurora clusters, or global database clusters within the target AWS account to identify valuable targets.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the deletionProtection setting on the target RDS resource to \u003ccode\u003efalse\u003c/code\u003e to allow deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker may disable or modify backup configurations to prevent recovery options, such as setting backupRetentionPeriod to \u003ccode\u003e0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eDeleteDBInstance\u003c/code\u003e, \u003ccode\u003eDeleteDBCluster\u003c/code\u003e, or \u003ccode\u003eDeleteGlobalCluster\u003c/code\u003e API call to initiate the deletion process.\u003c/li\u003e\n\u003cli\u003eIf configured, the attacker may attempt to delete any final snapshots created during the deletion process to further hinder recovery.\u003c/li\u003e\n\u003cli\u003eThe targeted RDS resource is permanently deleted, resulting in data loss and potential service disruption.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to cover their tracks by deleting relevant CloudTrail logs or modifying IAM policies.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of RDS DB instances or clusters can lead to significant data loss, disrupting critical business operations. Depending on the size and importance of the deleted resources, organizations may face substantial financial losses, reputational damage, and regulatory penalties. If backups are unavailable or have also been compromised, data recovery may be impossible, leading to long-term business disruption. The impact can affect organizations of any size that rely on AWS RDS for data storage and retrieval.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS RDS DB Instance or Cluster Deleted\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized RDS resource deletions.\u003c/li\u003e\n\u003cli\u003eEnable deletionProtection on all critical RDS instances and clusters to prevent accidental or malicious deletion.\u003c/li\u003e\n\u003cli\u003eEnforce MFA for IAM users with RDS privileges to reduce the risk of compromised credentials (reference the additional information links).\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for changes to deletionProtection settings and backup retention policies.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit IAM policies to ensure that users and roles have only the necessary permissions.\u003c/li\u003e\n\u003cli\u003eImplement a process for validating unexpected RDS resource deletions with the service owner or database administrator.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to correlate with CloudTrail logs in case CLI or SDK tools are used for deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-rds-deletion/","summary":"An adversary with sufficient permissions may delete RDS resources such as DB instances or clusters to impede recovery, destroy evidence, or inflict operational impact on the environment.","title":"AWS RDS DB Instance or Cluster Deleted","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-rds-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Amazon Aurora","version":"https://jsonfeed.org/version/1.1"}