<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS RDS - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-rds/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 15 Nov 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-rds/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS RDS DB Snapshot Shared with Another Account</title><link>https://feed.craftedsignal.io/briefs/2024-11-aws-rds-snapshot-shared/</link><pubDate>Fri, 15 Nov 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-aws-rds-snapshot-shared/</guid><description>An AWS RDS DB snapshot is shared with another AWS account or made public, potentially enabling unauthorized access, offline analysis, or data exfiltration by allowing adversaries to restore the snapshot in their controlled infrastructure.</description><content:encoded><![CDATA[<p>This threat focuses on the exfiltration of data from AWS RDS DB snapshots. Adversaries with valid credentials or through misconfigurations may modify snapshot attributes to grant access to accounts they control, bypassing existing security measures. This allows the attacker to restore the snapshot in an environment they control, enabling unauthorized access, offline analysis, or data exfiltration. The attack starts when modifications are made to snapshot attributes adding one or more additional AWS accounts to the snapshot's restore permissions. The rule &quot;AWS RDS DB Snapshot Shared with Another Account&quot; from Elastic detects these successful modifications. This is a critical issue, as DB snapshots contain complete backups of database instances, including schemas, table data, and sensitive application content.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to an AWS account through compromised credentials or exploiting a misconfiguration.</li>
<li><strong>Discovery:</strong> The attacker uses reconnaissance actions such as <code>DescribeDBSnapshots</code> or <code>DescribeDBInstances</code> to identify valuable RDS DB snapshots.</li>
<li><strong>Privilege Escalation (Optional):</strong> The attacker may attempt to escalate privileges using techniques like <code>AttachRolePolicy</code>, <code>PutUserPolicy</code>, or <code>AssumeRole</code> to gain the necessary permissions to modify snapshot attributes.</li>
<li><strong>Modify DBSnapshotAttribute:</strong> The attacker modifies the snapshot's attributes using the <code>ModifyDBSnapshotAttribute</code> or <code>ModifyDBClusterSnapshotAttribute</code> API calls, adding the attacker's AWS account to the restore permissions.</li>
<li><strong>Snapshot Copying (Optional):</strong> The attacker may copy the snapshot using the <code>CopyDBSnapshot</code> event to another region or account under their control.</li>
<li><strong>Snapshot Restoration:</strong> The attacker restores the snapshot in their AWS environment. This creates a new DB instance or cluster with the data from the snapshot.</li>
<li><strong>Data Exfiltration:</strong> The attacker accesses the restored database instance and extracts the sensitive data.</li>
<li><strong>Cleanup (Optional):</strong> The attacker may attempt to cover their tracks by deleting CloudTrail logs or modifying other security configurations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows the attacker to exfiltrate sensitive data contained within the RDS DB snapshot. The number of potential victims is dependent on how widely these snapshots are shared and on the value of the data contained within. Sectors that rely heavily on cloud databases are at increased risk. Consequences of successful attacks include data breaches, financial loss, reputational damage, and legal liabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Elastic EQL rule &quot;AWS RDS DB Snapshot Shared with Another Account&quot; to your SIEM to detect unauthorized snapshot modifications, tuning it for your environment.</li>
<li>Restrict snapshot sharing using IAM condition keys (<code>kms:ViaService</code>, <code>rds:dbSnapshotArn</code>, <code>aws:PrincipalArn</code>) as noted in the overview, and remediate existing cross-account access.</li>
<li>Enable AWS Config rules and Security Hub controls for public or cross-account snapshot access, based on the recommendation in the overview section.</li>
<li>Monitor AWS CloudTrail logs for <code>ModifyDBSnapshotAttribute</code> and <code>ModifyDBClusterSnapshotAttribute</code> events (as seen in the Attack Chain) to identify suspicious activity.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>rds</category><category>snapshot</category><category>exfiltration</category></item><item><title>AWS RDS DB Instance or Cluster Deletion Protection Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-07-aws-rds-deletion-protection-disabled/</link><pubDate>Wed, 03 Jul 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-aws-rds-deletion-protection-disabled/</guid><description>An adversary may disable deletion protection on an AWS RDS DB instance or cluster as a precursor to destructive actions, such as deleting databases containing sensitive data.</description><content:encoded><![CDATA[<p>This alert identifies instances where the deletionProtection feature of an AWS RDS DB instance or cluster is disabled. Deletion protection is a security mechanism that prevents accidental or unauthorized deletion of RDS resources. An adversary with sufficient permissions within a compromised AWS environment may disable this protection to pave the way for destructive activities, including the deletion of databases that hold sensitive or business-critical information. The detection focuses on explicit modifications setting <code>deletionProtection</code> to <code>false</code> on RDS DB instances or clusters. This activity is often a precursor to a <code>DeleteDBInstance</code> or <code>DeleteDBCluster</code> action.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The adversary gains access to an AWS account with sufficient privileges to modify RDS instances or clusters, potentially through compromised credentials or an insider threat.</li>
<li>The attacker authenticates to the AWS Management Console, CLI, or API using the compromised credentials or assumed role.</li>
<li>The attacker uses the <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> API call to target a specific RDS DB instance or cluster.</li>
<li>Within the <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> API call, the attacker sets the <code>deletionProtection</code> parameter to <code>false</code>.</li>
<li>AWS CloudTrail logs the <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> event with <code>deletionProtection=false</code> in the <code>requestParameters</code>.</li>
<li>The attacker may then initiate a <code>DeleteDBInstance</code> or <code>DeleteDBCluster</code> API call to remove the targeted RDS resource.</li>
<li>The database instance or cluster is deleted, resulting in data loss and potential disruption of services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Disabling deletion protection on AWS RDS instances or clusters can lead to the unauthorized or accidental deletion of critical databases. Successful execution of this attack can result in significant data loss, business disruption, and potential financial repercussions. The impact can range from temporary service outages to permanent data loss, depending on the affected systems and backup policies.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS RDS Deletion Protection Disabled via CloudTrail</code> to your SIEM and tune for your environment to detect when deletion protection is disabled (refer to the rule definition below).</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> to determine the IAM principal that made the change, and validate whether this principal normally performs RDS lifecycle operations as outlined in the investigation guide.</li>
<li>Immediately re-enable deletion protection (<code>deletionProtection=true</code>) on the affected DB instance or cluster if the change was unauthorized, as described in the remediation steps in the overview.</li>
<li>Restrict who can modify <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> destructive settings, such as deletion protection, backup retention, and public accessibility.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>rds</category><category>datadestruction</category></item><item><title>AWS RDS DB Instance Made Public</title><link>https://feed.craftedsignal.io/briefs/2024-07-aws-rds-public/</link><pubDate>Wed, 03 Jul 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-aws-rds-public/</guid><description>An attacker with compromised AWS credentials may modify an Amazon RDS DB instance or cluster to be publicly accessible for persistence, data exfiltration, or to bypass network restrictions.</description><content:encoded><![CDATA[<p>This detection identifies the creation or modification of an Amazon RDS DB instance or cluster with the <code>publiclyAccessible</code> attribute set to <code>true</code>. While legitimate use cases exist, unexpected public exposure of a database to the internet introduces significant security risks. An adversary with access to AWS credentials might modify a DB instance's public accessibility to exfiltrate data, establish persistence, or bypass internal network restrictions. The rule focuses on <code>ModifyDBInstance</code>, <code>CreateDBInstance</code>, and <code>CreateDBCluster</code> events within AWS CloudTrail logs. Defenders should investigate any unexpected changes to RDS instance accessibility. This activity can indicate compromised credentials or insider threats, and might be correlated with other IAM and network configuration changes to assess the overall impact.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to AWS credentials (e.g., via phishing or credential stuffing).</li>
<li>The attacker uses the compromised credentials to authenticate to the AWS Management Console or via the AWS CLI/API.</li>
<li>The attacker identifies a target RDS DB instance or cluster.</li>
<li>The attacker executes a <code>ModifyDBInstance</code> API call, setting the <code>PubliclyAccessible</code> parameter to <code>true</code> in the <code>request_parameters</code>.</li>
<li>Alternatively, the attacker executes a <code>CreateDBInstance</code> or <code>CreateDBCluster</code> API call with the <code>PubliclyAccessible</code> parameter set to <code>true</code>.</li>
<li>The attacker modifies associated security groups using <code>AuthorizeSecurityGroupIngress</code> to allow inbound traffic from <code>0.0.0.0/0</code> or other broad IP ranges.</li>
<li>The now publicly accessible RDS instance is used to exfiltrate data or as a pivot point to attack other internal resources.</li>
<li>The attacker leverages the publicly exposed database for persistent access and further reconnaissance.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>If an attacker successfully makes an RDS DB instance publicly accessible, they can potentially exfiltrate sensitive data, pivot to other internal resources, or establish persistent access to the environment. The number of affected instances depends on the scope of the credential compromise. Sectors that heavily rely on cloud infrastructure, such as finance, healthcare, and technology, are at higher risk. The impact can range from data breaches and compliance violations to significant financial losses and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS RDS DB Instance Made Public&quot; to your SIEM using <code>filebeat-*</code> and <code>logs-aws.cloudtrail-*</code> indices to detect modifications to RDS instance accessibility.</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> and <code>aws.cloudtrail.user_identity.type</code> in the SIEM to identify the IAM principal that made the change and validate its legitimacy.</li>
<li>Monitor for <code>AuthorizeSecurityGroupIngress</code> events in CloudTrail logs that allow inbound traffic from <code>0.0.0.0/0</code> to associated security groups of RDS instances.</li>
<li>Implement AWS Config rules (e.g., <code>rds-instance-public-access-check</code>) to automatically detect and remediate publicly accessible RDS instances.</li>
<li>Enforce Service Control Policies (SCPs) to prevent the creation of publicly accessible RDS instances.</li>
<li>Refer to the provided AWS IR Playbooks and AWS Customer Playbook Framework documentation for incident response guidance.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>rds</category><category>persistence</category><category>defense_evasion</category></item></channel></rss>