<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Amazon Aurora - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/amazon-aurora/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/amazon-aurora/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS RDS DB Instance or Cluster Deleted</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-rds-deletion/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-rds-deletion/</guid><description>An adversary with sufficient permissions may delete RDS resources such as DB instances or clusters to impede recovery, destroy evidence, or inflict operational impact on the environment.</description><content:encoded><![CDATA[<p>The deletion of Amazon RDS DB instances, Aurora clusters, or global database clusters can lead to permanent data loss and major service disruption. This activity is often carried out by adversaries who have gained sufficient permissions within an AWS environment. The motivation behind such actions can range from impeding recovery efforts following a ransomware attack, destroying critical evidence to hinder forensic investigations, or directly inflicting operational impact on the targeted environment. Defenders should be aware that these actions are irreversible without backups, making swift detection and validation essential to mitigate potential damage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An adversary gains initial access to the AWS environment, potentially through compromised credentials or an IAM role with excessive permissions.</li>
<li>The attacker enumerates existing RDS DB instances, Aurora clusters, or global database clusters within the target AWS account to identify valuable targets.</li>
<li>The attacker modifies the deletionProtection setting on the target RDS resource to <code>false</code> to allow deletion.</li>
<li>The attacker may disable or modify backup configurations to prevent recovery options, such as setting backupRetentionPeriod to <code>0</code>.</li>
<li>The attacker executes the <code>DeleteDBInstance</code>, <code>DeleteDBCluster</code>, or <code>DeleteGlobalCluster</code> API call to initiate the deletion process.</li>
<li>If configured, the attacker may attempt to delete any final snapshots created during the deletion process to further hinder recovery.</li>
<li>The targeted RDS resource is permanently deleted, resulting in data loss and potential service disruption.</li>
<li>The attacker may attempt to cover their tracks by deleting relevant CloudTrail logs or modifying IAM policies.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The deletion of RDS DB instances or clusters can lead to significant data loss, disrupting critical business operations. Depending on the size and importance of the deleted resources, organizations may face substantial financial losses, reputational damage, and regulatory penalties. If backups are unavailable or have also been compromised, data recovery may be impossible, leading to long-term business disruption. The impact can affect organizations of any size that rely on AWS RDS for data storage and retrieval.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS RDS DB Instance or Cluster Deleted</code> to your SIEM and tune for your environment to detect unauthorized RDS resource deletions.</li>
<li>Enable deletionProtection on all critical RDS instances and clusters to prevent accidental or malicious deletion.</li>
<li>Enforce MFA for IAM users with RDS privileges to reduce the risk of compromised credentials (reference the additional information links).</li>
<li>Monitor CloudTrail logs for changes to deletionProtection settings and backup retention policies.</li>
<li>Regularly review and audit IAM policies to ensure that users and roles have only the necessary permissions.</li>
<li>Implement a process for validating unexpected RDS resource deletions with the service owner or database administrator.</li>
<li>Enable Sysmon process-creation logging to correlate with CloudTrail logs in case CLI or SDK tools are used for deletion.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>rds</category><category>datadestruction</category></item></channel></rss>