<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Amazon RDS - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/amazon-rds/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jul 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/amazon-rds/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS RDS Snapshot Deletion Detected</title><link>https://feed.craftedsignal.io/briefs/2024-07-aws-rds-snapshot-deletion/</link><pubDate>Wed, 03 Jul 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-aws-rds-snapshot-deletion/</guid><description>The deletion of AWS RDS DB snapshots or disabling backups via configuration changes can inhibit recovery, destroy forensic evidence, and prepare for destructive actions by adversaries.</description><content:encoded><![CDATA[<p>This rule detects the deletion of AWS RDS DB snapshots or configuration changes that effectively remove backup coverage for a DB instance. RDS snapshots contain full backups of database instances, and disabling automated backups by setting &quot;backupRetentionPeriod=0&quot; has a similar impact by preventing future restore points. A threat actor with sufficient AWS permissions may delete snapshots or disable backups to inhibit recovery, destroy forensic evidence, or prepare for follow-on destructive actions such as instance or cluster deletion. The rule focuses on successful snapshot deletions and backup disabling events within AWS RDS. The scope includes any AWS environment utilizing RDS for database services.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains access to an AWS account with sufficient permissions to manage RDS instances and snapshots, possibly through compromised credentials or an IAM role with excessive privileges.</li>
<li>The attacker enumerates available RDS DB instances and snapshots within the target AWS account using AWS CLI or API calls (e.g., <code>DescribeDBSnapshots</code>, <code>DescribeDBInstances</code>).</li>
<li>The attacker identifies target DB instances and their associated snapshots that are critical for recovery or contain valuable forensic data.</li>
<li>The attacker deletes RDS DB snapshots using the <code>DeleteDBSnapshot</code> API call, effectively removing restore points.</li>
<li>Alternatively, the attacker modifies the DB instance configuration using the <code>ModifyDBInstance</code> API call, setting <code>backupRetentionPeriod</code> to 0 to disable automated backups and prevent future restore points.</li>
<li>The attacker may then delete the RDS instance itself using DeleteDBInstance.</li>
<li>The attacker attempts to cover their tracks by deleting relevant CloudTrail logs or disabling CloudTrail logging.</li>
<li>The attacker's objective is to prevent restoration to a known-good state and destroy forensic evidence of attacker actions, potentially as part of a ransomware attack or data exfiltration attempt.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of RDS snapshots or disabling of backups can lead to significant data loss and prolonged downtime, making recovery from security incidents or operational failures difficult or impossible. This can impact business continuity, data integrity, and regulatory compliance. The precise impact depends on the criticality of the affected databases and the availability of alternative backup mechanisms. If successful, this can result in total data loss for the organization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect suspicious <code>DeleteDBSnapshot</code>, <code>DeleteDBClusterSnapshot</code>, or <code>ModifyDBInstance</code> events setting <code>backupRetentionPeriod=0</code> in AWS CloudTrail logs.</li>
<li>Restrict IAM permissions for <code>rds:DeleteDBSnapshot</code>, <code>rds:DeleteDBClusterSnapshot</code>, and <code>rds:ModifyDBInstance</code> (especially backup and deletion-related parameters) to a small set of privileged roles, as described in the remediation steps.</li>
<li>Use AWS Config rules and/or Security Hub controls to detect instances with <code>backupRetentionPeriod=0</code>, as recommended in the hardening and preventive controls section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>rds</category><category>snapshot</category><category>backup</category><category>datadestruction</category></item><item><title>AWS RDS DB Instance or Cluster Deleted</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-rds-deletion/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-rds-deletion/</guid><description>An adversary with sufficient permissions may delete RDS resources such as DB instances or clusters to impede recovery, destroy evidence, or inflict operational impact on the environment.</description><content:encoded><![CDATA[<p>The deletion of Amazon RDS DB instances, Aurora clusters, or global database clusters can lead to permanent data loss and major service disruption. This activity is often carried out by adversaries who have gained sufficient permissions within an AWS environment. The motivation behind such actions can range from impeding recovery efforts following a ransomware attack, destroying critical evidence to hinder forensic investigations, or directly inflicting operational impact on the targeted environment. Defenders should be aware that these actions are irreversible without backups, making swift detection and validation essential to mitigate potential damage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An adversary gains initial access to the AWS environment, potentially through compromised credentials or an IAM role with excessive permissions.</li>
<li>The attacker enumerates existing RDS DB instances, Aurora clusters, or global database clusters within the target AWS account to identify valuable targets.</li>
<li>The attacker modifies the deletionProtection setting on the target RDS resource to <code>false</code> to allow deletion.</li>
<li>The attacker may disable or modify backup configurations to prevent recovery options, such as setting backupRetentionPeriod to <code>0</code>.</li>
<li>The attacker executes the <code>DeleteDBInstance</code>, <code>DeleteDBCluster</code>, or <code>DeleteGlobalCluster</code> API call to initiate the deletion process.</li>
<li>If configured, the attacker may attempt to delete any final snapshots created during the deletion process to further hinder recovery.</li>
<li>The targeted RDS resource is permanently deleted, resulting in data loss and potential service disruption.</li>
<li>The attacker may attempt to cover their tracks by deleting relevant CloudTrail logs or modifying IAM policies.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The deletion of RDS DB instances or clusters can lead to significant data loss, disrupting critical business operations. Depending on the size and importance of the deleted resources, organizations may face substantial financial losses, reputational damage, and regulatory penalties. If backups are unavailable or have also been compromised, data recovery may be impossible, leading to long-term business disruption. The impact can affect organizations of any size that rely on AWS RDS for data storage and retrieval.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS RDS DB Instance or Cluster Deleted</code> to your SIEM and tune for your environment to detect unauthorized RDS resource deletions.</li>
<li>Enable deletionProtection on all critical RDS instances and clusters to prevent accidental or malicious deletion.</li>
<li>Enforce MFA for IAM users with RDS privileges to reduce the risk of compromised credentials (reference the additional information links).</li>
<li>Monitor CloudTrail logs for changes to deletionProtection settings and backup retention policies.</li>
<li>Regularly review and audit IAM policies to ensure that users and roles have only the necessary permissions.</li>
<li>Implement a process for validating unexpected RDS resource deletions with the service owner or database administrator.</li>
<li>Enable Sysmon process-creation logging to correlate with CloudTrail logs in case CLI or SDK tools are used for deletion.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>rds</category><category>datadestruction</category></item><item><title>AWS RDS Master User Password Reset Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-rds-password-reset/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-rds-password-reset/</guid><description>Detection of unauthorized master user password resets for Amazon RDS DB instances via AWS CloudTrail logs, potentially leading to sensitive data access and data breaches.</description><content:encoded><![CDATA[<p>This analytic detects the resetting of the master user password for an Amazon RDS DB instance. The detection leverages AWS CloudTrail logs ingested via Amazon Security Lake to identify events where the <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> API calls include a new <code>masterUserPassword</code> parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, which may contain sensitive information such as credit card numbers, PII, or protected health information. If the password reset is confirmed to be malicious, it could lead to data breaches, regulatory non-compliance, and significant reputational damage. This detection is based on version 8 of the Splunk Security Content analytic &quot;ASL AWS Credential Access RDS Password reset&quot; published on April 15, 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, potentially through compromised credentials (T1110) or phishing (T1586.003).</li>
<li>The attacker leverages the AWS Management Console or AWS CLI to interact with the RDS service.</li>
<li>The attacker issues a <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> API call.</li>
<li>Within the <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> API call, the attacker includes the <code>masterUserPassword</code> parameter.</li>
<li>The RDS service processes the request and resets the master user password for the specified database instance or cluster.</li>
<li>The attacker uses the newly reset master user password to authenticate to the RDS database instance.</li>
<li>The attacker gains access to sensitive data stored within the RDS database.</li>
<li>The attacker exfiltrates or manipulates the data for malicious purposes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack resulting in unauthorized password reset can lead to a complete compromise of the RDS database instance. This could result in data breaches with millions of records exposed, regulatory fines for non-compliance (e.g., GDPR, HIPAA), and severe reputational damage affecting customer trust and stock prices. Sectors heavily reliant on RDS databases, such as finance, healthcare, and e-commerce, are particularly vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS RDS Master User Password Reset</code> to your SIEM and tune for your environment using AWS CloudTrail logs ingested via Amazon Security Lake.</li>
<li>Investigate any detected instances of <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> API calls containing the <code>masterUserPassword</code> parameter by pivoting to the originating IP address (<code>src_endpoint.ip</code>) and user agent (<code>http_request.user_agent</code>) from the Sigma rule.</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts, especially those with permissions to manage RDS instances, to mitigate compromised credential attacks (T1110).</li>
<li>Review and enforce the principle of least privilege for IAM roles, ensuring that users only have the necessary permissions to perform their job functions.</li>
<li>Monitor AWS CloudTrail logs for other suspicious API calls related to RDS, such as modifications to security groups or network ACLs.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>credential-access</category><category>rds</category></item></channel></rss>