<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Rds - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/rds/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 28 May 2026 21:19:02 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/rds/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-46840 - Oracle REST Data Services Takeover Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-05-cve-2026-46840-ords/</link><pubDate>Thu, 28 May 2026 21:19:02 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-05-cve-2026-46840-ords/</guid><description>CVE-2026-46840 is a critical vulnerability in Oracle REST Data Services (ORDS) that allows an unauthenticated attacker with network access to achieve complete takeover of the service, potentially impacting additional products due to scope change.</description><content:encoded><![CDATA[<p>CVE-2026-46840 is a highly critical vulnerability affecting Oracle REST Data Services (ORDS), specifically the Backend-as-a-Service component. The vulnerability impacts versions 24.2.0 through 26.1.0. An unauthenticated attacker with network access via HTTPS can exploit this flaw to completely compromise an ORDS instance. Successful exploitation leads to full control of the ORDS instance and may also cause significant impact on other products that rely on the compromised ORDS instance due to the scope change aspect of the vulnerability. This presents a substantial risk to organizations utilizing affected versions of Oracle REST Data Services, potentially allowing attackers to gain unauthorized access to sensitive data, modify system configurations, or disrupt critical services.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable Oracle REST Data Services instance accessible via HTTPS.</li>
<li>Attacker sends a specially crafted HTTPS request to the vulnerable Backend-as-a-Service component.</li>
<li>The malicious request exploits a flaw within the ORDS application, bypassing authentication checks.</li>
<li>The vulnerability allows the attacker to execute arbitrary code within the ORDS instance.</li>
<li>Attacker leverages the code execution to escalate privileges within the ORDS environment.</li>
<li>Attacker gains complete control over the ORDS instance, achieving full administrative access.</li>
<li>The attacker can now access sensitive data, modify configurations, or disrupt the ORDS service.</li>
<li>Due to the scope change impact, the attacker pivots to compromise other products or services that rely on the now-compromised ORDS instance, expanding the impact of the attack.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-46840 can result in a complete takeover of Oracle REST Data Services. This can lead to unauthorized access to sensitive data, modification of critical system configurations, and disruption of essential services. The vulnerability's potential to impact additional products amplifies the risk, potentially exposing a wider range of systems and data to compromise. Given the CVSS base score of 10.0, the impact is considered critical, affecting confidentiality, integrity, and availability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch provided by Oracle to address CVE-2026-46840 on all affected Oracle REST Data Services instances (versions 24.2.0-26.1.0).</li>
<li>Deploy the Sigma rule &quot;Detect CVE-2026-46840 Exploitation Attempt via Malicious HTTPS Request&quot; to identify exploitation attempts in web server logs.</li>
<li>Implement network segmentation to limit the scope of potential compromise in case of successful exploitation, mitigating the &quot;scope change&quot; impact mentioned in the overview.</li>
<li>Monitor outbound network connections originating from ORDS servers for unusual activity after patching, which could indicate post-exploitation activity.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>oracle</category><category>rds</category><category>rest</category><category>vulnerability</category><category>cve-2026-46840</category><category>takeover</category></item><item><title>AWS RDS DB Snapshot Shared with Another Account</title><link>https://feed.craftedsignal.io/briefs/2024-11-aws-rds-snapshot-shared/</link><pubDate>Fri, 15 Nov 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-aws-rds-snapshot-shared/</guid><description>An AWS RDS DB snapshot is shared with another AWS account or made public, potentially enabling unauthorized access, offline analysis, or data exfiltration by allowing adversaries to restore the snapshot in their controlled infrastructure.</description><content:encoded><![CDATA[<p>This threat focuses on the exfiltration of data from AWS RDS DB snapshots. Adversaries with valid credentials or through misconfigurations may modify snapshot attributes to grant access to accounts they control, bypassing existing security measures. This allows the attacker to restore the snapshot in an environment they control, enabling unauthorized access, offline analysis, or data exfiltration. The attack starts when modifications are made to snapshot attributes adding one or more additional AWS accounts to the snapshot's restore permissions. The rule &quot;AWS RDS DB Snapshot Shared with Another Account&quot; from Elastic detects these successful modifications. This is a critical issue, as DB snapshots contain complete backups of database instances, including schemas, table data, and sensitive application content.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to an AWS account through compromised credentials or exploiting a misconfiguration.</li>
<li><strong>Discovery:</strong> The attacker uses reconnaissance actions such as <code>DescribeDBSnapshots</code> or <code>DescribeDBInstances</code> to identify valuable RDS DB snapshots.</li>
<li><strong>Privilege Escalation (Optional):</strong> The attacker may attempt to escalate privileges using techniques like <code>AttachRolePolicy</code>, <code>PutUserPolicy</code>, or <code>AssumeRole</code> to gain the necessary permissions to modify snapshot attributes.</li>
<li><strong>Modify DBSnapshotAttribute:</strong> The attacker modifies the snapshot's attributes using the <code>ModifyDBSnapshotAttribute</code> or <code>ModifyDBClusterSnapshotAttribute</code> API calls, adding the attacker's AWS account to the restore permissions.</li>
<li><strong>Snapshot Copying (Optional):</strong> The attacker may copy the snapshot using the <code>CopyDBSnapshot</code> event to another region or account under their control.</li>
<li><strong>Snapshot Restoration:</strong> The attacker restores the snapshot in their AWS environment. This creates a new DB instance or cluster with the data from the snapshot.</li>
<li><strong>Data Exfiltration:</strong> The attacker accesses the restored database instance and extracts the sensitive data.</li>
<li><strong>Cleanup (Optional):</strong> The attacker may attempt to cover their tracks by deleting CloudTrail logs or modifying other security configurations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows the attacker to exfiltrate sensitive data contained within the RDS DB snapshot. The number of potential victims is dependent on how widely these snapshots are shared and on the value of the data contained within. Sectors that rely heavily on cloud databases are at increased risk. Consequences of successful attacks include data breaches, financial loss, reputational damage, and legal liabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Elastic EQL rule &quot;AWS RDS DB Snapshot Shared with Another Account&quot; to your SIEM to detect unauthorized snapshot modifications, tuning it for your environment.</li>
<li>Restrict snapshot sharing using IAM condition keys (<code>kms:ViaService</code>, <code>rds:dbSnapshotArn</code>, <code>aws:PrincipalArn</code>) as noted in the overview, and remediate existing cross-account access.</li>
<li>Enable AWS Config rules and Security Hub controls for public or cross-account snapshot access, based on the recommendation in the overview section.</li>
<li>Monitor AWS CloudTrail logs for <code>ModifyDBSnapshotAttribute</code> and <code>ModifyDBClusterSnapshotAttribute</code> events (as seen in the Attack Chain) to identify suspicious activity.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>rds</category><category>snapshot</category><category>exfiltration</category></item><item><title>AWS RDS DB Instance or Cluster Deletion Protection Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-07-aws-rds-deletion-protection-disabled/</link><pubDate>Wed, 03 Jul 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-aws-rds-deletion-protection-disabled/</guid><description>An adversary may disable deletion protection on an AWS RDS DB instance or cluster as a precursor to destructive actions, such as deleting databases containing sensitive data.</description><content:encoded><![CDATA[<p>This alert identifies instances where the deletionProtection feature of an AWS RDS DB instance or cluster is disabled. Deletion protection is a security mechanism that prevents accidental or unauthorized deletion of RDS resources. An adversary with sufficient permissions within a compromised AWS environment may disable this protection to pave the way for destructive activities, including the deletion of databases that hold sensitive or business-critical information. The detection focuses on explicit modifications setting <code>deletionProtection</code> to <code>false</code> on RDS DB instances or clusters. This activity is often a precursor to a <code>DeleteDBInstance</code> or <code>DeleteDBCluster</code> action.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The adversary gains access to an AWS account with sufficient privileges to modify RDS instances or clusters, potentially through compromised credentials or an insider threat.</li>
<li>The attacker authenticates to the AWS Management Console, CLI, or API using the compromised credentials or assumed role.</li>
<li>The attacker uses the <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> API call to target a specific RDS DB instance or cluster.</li>
<li>Within the <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> API call, the attacker sets the <code>deletionProtection</code> parameter to <code>false</code>.</li>
<li>AWS CloudTrail logs the <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> event with <code>deletionProtection=false</code> in the <code>requestParameters</code>.</li>
<li>The attacker may then initiate a <code>DeleteDBInstance</code> or <code>DeleteDBCluster</code> API call to remove the targeted RDS resource.</li>
<li>The database instance or cluster is deleted, resulting in data loss and potential disruption of services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Disabling deletion protection on AWS RDS instances or clusters can lead to the unauthorized or accidental deletion of critical databases. Successful execution of this attack can result in significant data loss, business disruption, and potential financial repercussions. The impact can range from temporary service outages to permanent data loss, depending on the affected systems and backup policies.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS RDS Deletion Protection Disabled via CloudTrail</code> to your SIEM and tune for your environment to detect when deletion protection is disabled (refer to the rule definition below).</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> to determine the IAM principal that made the change, and validate whether this principal normally performs RDS lifecycle operations as outlined in the investigation guide.</li>
<li>Immediately re-enable deletion protection (<code>deletionProtection=true</code>) on the affected DB instance or cluster if the change was unauthorized, as described in the remediation steps in the overview.</li>
<li>Restrict who can modify <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> destructive settings, such as deletion protection, backup retention, and public accessibility.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>rds</category><category>datadestruction</category></item><item><title>AWS RDS Snapshot Deletion Detected</title><link>https://feed.craftedsignal.io/briefs/2024-07-aws-rds-snapshot-deletion/</link><pubDate>Wed, 03 Jul 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-aws-rds-snapshot-deletion/</guid><description>The deletion of AWS RDS DB snapshots or disabling backups via configuration changes can inhibit recovery, destroy forensic evidence, and prepare for destructive actions by adversaries.</description><content:encoded><![CDATA[<p>This rule detects the deletion of AWS RDS DB snapshots or configuration changes that effectively remove backup coverage for a DB instance. RDS snapshots contain full backups of database instances, and disabling automated backups by setting &quot;backupRetentionPeriod=0&quot; has a similar impact by preventing future restore points. A threat actor with sufficient AWS permissions may delete snapshots or disable backups to inhibit recovery, destroy forensic evidence, or prepare for follow-on destructive actions such as instance or cluster deletion. The rule focuses on successful snapshot deletions and backup disabling events within AWS RDS. The scope includes any AWS environment utilizing RDS for database services.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains access to an AWS account with sufficient permissions to manage RDS instances and snapshots, possibly through compromised credentials or an IAM role with excessive privileges.</li>
<li>The attacker enumerates available RDS DB instances and snapshots within the target AWS account using AWS CLI or API calls (e.g., <code>DescribeDBSnapshots</code>, <code>DescribeDBInstances</code>).</li>
<li>The attacker identifies target DB instances and their associated snapshots that are critical for recovery or contain valuable forensic data.</li>
<li>The attacker deletes RDS DB snapshots using the <code>DeleteDBSnapshot</code> API call, effectively removing restore points.</li>
<li>Alternatively, the attacker modifies the DB instance configuration using the <code>ModifyDBInstance</code> API call, setting <code>backupRetentionPeriod</code> to 0 to disable automated backups and prevent future restore points.</li>
<li>The attacker may then delete the RDS instance itself using DeleteDBInstance.</li>
<li>The attacker attempts to cover their tracks by deleting relevant CloudTrail logs or disabling CloudTrail logging.</li>
<li>The attacker's objective is to prevent restoration to a known-good state and destroy forensic evidence of attacker actions, potentially as part of a ransomware attack or data exfiltration attempt.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of RDS snapshots or disabling of backups can lead to significant data loss and prolonged downtime, making recovery from security incidents or operational failures difficult or impossible. This can impact business continuity, data integrity, and regulatory compliance. The precise impact depends on the criticality of the affected databases and the availability of alternative backup mechanisms. If successful, this can result in total data loss for the organization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect suspicious <code>DeleteDBSnapshot</code>, <code>DeleteDBClusterSnapshot</code>, or <code>ModifyDBInstance</code> events setting <code>backupRetentionPeriod=0</code> in AWS CloudTrail logs.</li>
<li>Restrict IAM permissions for <code>rds:DeleteDBSnapshot</code>, <code>rds:DeleteDBClusterSnapshot</code>, and <code>rds:ModifyDBInstance</code> (especially backup and deletion-related parameters) to a small set of privileged roles, as described in the remediation steps.</li>
<li>Use AWS Config rules and/or Security Hub controls to detect instances with <code>backupRetentionPeriod=0</code>, as recommended in the hardening and preventive controls section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>rds</category><category>snapshot</category><category>backup</category><category>datadestruction</category></item><item><title>AWS RDS DB Instance Made Public</title><link>https://feed.craftedsignal.io/briefs/2024-07-aws-rds-public/</link><pubDate>Wed, 03 Jul 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-aws-rds-public/</guid><description>An attacker with compromised AWS credentials may modify an Amazon RDS DB instance or cluster to be publicly accessible for persistence, data exfiltration, or to bypass network restrictions.</description><content:encoded><![CDATA[<p>This detection identifies the creation or modification of an Amazon RDS DB instance or cluster with the <code>publiclyAccessible</code> attribute set to <code>true</code>. While legitimate use cases exist, unexpected public exposure of a database to the internet introduces significant security risks. An adversary with access to AWS credentials might modify a DB instance's public accessibility to exfiltrate data, establish persistence, or bypass internal network restrictions. The rule focuses on <code>ModifyDBInstance</code>, <code>CreateDBInstance</code>, and <code>CreateDBCluster</code> events within AWS CloudTrail logs. Defenders should investigate any unexpected changes to RDS instance accessibility. This activity can indicate compromised credentials or insider threats, and might be correlated with other IAM and network configuration changes to assess the overall impact.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to AWS credentials (e.g., via phishing or credential stuffing).</li>
<li>The attacker uses the compromised credentials to authenticate to the AWS Management Console or via the AWS CLI/API.</li>
<li>The attacker identifies a target RDS DB instance or cluster.</li>
<li>The attacker executes a <code>ModifyDBInstance</code> API call, setting the <code>PubliclyAccessible</code> parameter to <code>true</code> in the <code>request_parameters</code>.</li>
<li>Alternatively, the attacker executes a <code>CreateDBInstance</code> or <code>CreateDBCluster</code> API call with the <code>PubliclyAccessible</code> parameter set to <code>true</code>.</li>
<li>The attacker modifies associated security groups using <code>AuthorizeSecurityGroupIngress</code> to allow inbound traffic from <code>0.0.0.0/0</code> or other broad IP ranges.</li>
<li>The now publicly accessible RDS instance is used to exfiltrate data or as a pivot point to attack other internal resources.</li>
<li>The attacker leverages the publicly exposed database for persistent access and further reconnaissance.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>If an attacker successfully makes an RDS DB instance publicly accessible, they can potentially exfiltrate sensitive data, pivot to other internal resources, or establish persistent access to the environment. The number of affected instances depends on the scope of the credential compromise. Sectors that heavily rely on cloud infrastructure, such as finance, healthcare, and technology, are at higher risk. The impact can range from data breaches and compliance violations to significant financial losses and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS RDS DB Instance Made Public&quot; to your SIEM using <code>filebeat-*</code> and <code>logs-aws.cloudtrail-*</code> indices to detect modifications to RDS instance accessibility.</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> and <code>aws.cloudtrail.user_identity.type</code> in the SIEM to identify the IAM principal that made the change and validate its legitimacy.</li>
<li>Monitor for <code>AuthorizeSecurityGroupIngress</code> events in CloudTrail logs that allow inbound traffic from <code>0.0.0.0/0</code> to associated security groups of RDS instances.</li>
<li>Implement AWS Config rules (e.g., <code>rds-instance-public-access-check</code>) to automatically detect and remediate publicly accessible RDS instances.</li>
<li>Enforce Service Control Policies (SCPs) to prevent the creation of publicly accessible RDS instances.</li>
<li>Refer to the provided AWS IR Playbooks and AWS Customer Playbook Framework documentation for incident response guidance.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>rds</category><category>persistence</category><category>defense_evasion</category></item><item><title>AWS RDS DB Instance or Cluster Password Modification</title><link>https://feed.craftedsignal.io/briefs/2024-07-aws-rds-password-modified/</link><pubDate>Wed, 03 Jul 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-aws-rds-password-modified/</guid><description>The modification of the master password for an AWS RDS DB instance or cluster can indicate malicious activity used for persistence, privilege escalation, or defense evasion.</description><content:encoded><![CDATA[<p>This threat brief focuses on the modification of master passwords for AWS RDS DB instances or clusters. While password changes can be legitimate for recovery actions, attackers with sufficient permissions can exploit this to regain access, establish persistence, bypass existing controls, or escalate privileges within a compromised environment. The primary concern arises because RDS does not expose passwords in API responses, making any such modification a meaningful change to access pathways, potentially impacting sensitive data stores. This activity is detected via <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> events in AWS CloudTrail.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account through compromised credentials, exploiting a vulnerable application, or other means.</li>
<li>The attacker enumerates existing RDS DB instances and clusters using AWS CLI or API calls, such as <code>DescribeDBInstances</code>.</li>
<li>The attacker identifies a target RDS DB instance or cluster containing sensitive data or critical functionality.</li>
<li>The attacker executes <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> via the AWS CLI or API, changing the master user password. This requires appropriate IAM permissions.</li>
<li>The attacker uses the newly modified password to authenticate to the database and gain privileged access.</li>
<li>The attacker performs malicious actions within the database, such as exfiltrating data, modifying data, or creating new accounts with elevated privileges.</li>
<li>The attacker may disable deletion protection or modify backup retention policies to further ensure persistence or cover their tracks.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful modification of RDS master passwords can lead to significant data breaches, service disruption, and financial losses. While specific victim numbers and sectors aren't available, the impact of a compromised RDS instance can be severe. If an attacker successfully modifies the password, they can gain complete control over the database, potentially leading to the exfiltration of sensitive information, modification or deletion of critical data, and the compromise of applications relying on the database.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS RDS DB Instance or Cluster Password Modified&quot; to detect unauthorized password modifications (rule).</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> and <code>aws.cloudtrail.user_identity.access_key_id</code> in AWS CloudTrail logs to identify the source of password modification events (log source).</li>
<li>Limit IAM permissions for <code>rds:ModifyDBInstance</code> and <code>rds:ModifyDBCluster</code>, especially when modifying authentication parameters (reference).</li>
<li>Implement multi-factor authentication (MFA) and role-based access control (RBAC) for DB administrators (reference).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>rds</category><category>persistence</category></item><item><title>AWS RDS DB Instance Restored for Defense Evasion or Data Collection</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-aws-rds-restore/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-aws-rds-restore/</guid><description>Detection of AWS RDS database instance restoration from a snapshot or S3 backup, potentially indicating unauthorized data access, defense evasion, or data collection by adversaries recreating database environments to bypass controls or exfiltrate sensitive data.</description><content:encoded><![CDATA[<p>This rule detects the restoration of an AWS RDS database instance, a technique that can be abused by adversaries for defense evasion or data collection. Attackers may restore databases from snapshots or S3 backups to bypass logging and monitoring, create shadow environments for data exfiltration, or access older data. The activity is triggered by the successful execution of <code>RestoreDBInstanceFromDBSnapshot</code> or <code>RestoreDBInstanceFromS3</code> events within AWS CloudTrail logs. Defenders should monitor for unexpected RDS restores to identify potential malicious activity and data compromise. This activity can occur post-compromise after an attacker gains access to AWS credentials with sufficient privileges to manage RDS instances.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to an AWS account through compromised credentials or privilege escalation.</li>
<li>The attacker enumerates available RDS snapshots and S3 backups using AWS CLI or API calls (<code>DescribeDBSnapshots</code>, <code>DescribeDBInstances</code>).</li>
<li>The attacker identifies a target RDS database instance containing sensitive data.</li>
<li>The attacker initiates a <code>RestoreDBInstanceFromDBSnapshot</code> or <code>RestoreDBInstanceFromS3</code> operation to create a new RDS instance from a snapshot or backup.</li>
<li>A new RDS instance is created with the data from the snapshot or backup.</li>
<li>The attacker accesses the restored database instance, bypassing monitoring on the original instance.</li>
<li>The attacker exfiltrates sensitive data from the restored instance.</li>
<li>The attacker may attempt to delete the restored instance and snapshots to remove traces of their activity.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to bypass existing security controls and gain unauthorized access to sensitive data stored within the RDS database. This can lead to data breaches, financial loss, and reputational damage. If the attacker gains access to a production database copy, the impact can be significant, potentially affecting thousands of users. The sectors most likely impacted include those that rely heavily on cloud-based database solutions, such as finance, healthcare, and technology.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS RDS DB Instance Restored&quot; to your SIEM, tuned for your specific environment, to detect unauthorized RDS instance restorations.</li>
<li>Enforce least privilege for <code>rds:RestoreDBInstanceFromDBSnapshot</code> and <code>rds:RestoreDBInstanceFromS3</code> actions using IAM policies, restricting restore actions by network, principal, or region.</li>
<li>Enable AWS CloudTrail logging and monitor for unexpected RDS events, focusing on <code>RestoreDBInstanceFromDBSnapshot</code> and <code>RestoreDBInstanceFromS3</code> actions.</li>
<li>Implement AWS Config and Security Hub controls for monitoring unapproved RDS restores and misconfigured restored instances.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the user identity, source IP, and the snapshot or S3 location used for the restore.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>rds</category><category>defense-evasion</category><category>data-collection</category></item><item><title>AWS RDS Snapshot Export to S3 for Potential Data Exfiltration</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-rds-snapshot-exfiltration/</link><pubDate>Wed, 03 Jan 2024 18:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-rds-snapshot-exfiltration/</guid><description>An adversary may export RDS snapshots to Amazon S3 to exfiltrate sensitive data outside of RDS-managed storage, potentially bypassing database access controls and leading to unauthorized data theft.</description><content:encoded><![CDATA[<p>The exporting of RDS (Relational Database Service) snapshots to Amazon S3 buckets can be a legitimate operation for analytics, migration, or backup purposes. However, adversaries can abuse this functionality by exporting sensitive database snapshots to S3 buckets they control or can access, bypassing RDS's built-in security controls. This poses a significant risk of data exfiltration, as the exported snapshot is essentially a portable copy of the database contents. The activity is triggered via the <code>StartExportTask</code> API call. The scope of targeting is broad, as any organization utilizing AWS RDS is potentially vulnerable, with the impact being dependent on the sensitivity of the data stored in the RDS instances.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to an AWS account with sufficient privileges to interact with RDS and S3 services. This can be achieved through compromised credentials, privilege escalation, or exploiting misconfigured IAM roles.</li>
<li>The attacker enumerates available RDS instances and identifies those containing sensitive data using <code>DescribeDBSnapshots</code> or similar API calls.</li>
<li>The attacker initiates a snapshot of the target RDS instance, creating a point-in-time copy of the database.</li>
<li>The attacker calls the <code>StartExportTask</code> API to export the RDS snapshot to a specified S3 bucket. This involves specifying the snapshot identifier, the destination S3 bucket name and path, and optionally a KMS key for encryption.</li>
<li>The exported snapshot is stored in the S3 bucket as a set of data files.</li>
<li>The attacker configures the S3 bucket's access controls (ACLs or bucket policies) to allow access from an external AWS account or identity they control.</li>
<li>The attacker downloads the exported snapshot files from the S3 bucket to their local system or a different cloud environment.</li>
<li>The attacker imports the snapshot into a database instance they control, gaining access to the sensitive data contained within the RDS instance. The end objective is successful exfiltration of the database contents to a location outside the organization's control.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial data, or trade secrets. The number of affected victims depends on the scope of the compromised AWS environment. Organizations in highly regulated sectors like finance and healthcare are at particularly high risk. The compromise can result in significant financial losses, reputational damage, legal repercussions, and loss of customer trust.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS RDS Snapshot Export to S3</code> to your SIEM to detect unauthorized RDS snapshot exports by monitoring <code>StartExportTask</code> events in CloudTrail logs.</li>
<li>Implement IAM least-privilege policies to restrict the ability to call <code>StartExportTask</code> to authorized users and roles only, as mentioned in the overview.</li>
<li>Continuously monitor and review S3 bucket ACLs and policies to ensure that access is restricted to authorized principals, as described in the remediation steps.</li>
<li>Enable AWS Config or Security Hub controls to monitor snapshot policy changes and alert for exports to buckets outside approved accounts, per the hardening and preventive controls advice.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>rds</category><category>s3</category><category>exfiltration</category><category>cloudtrail</category></item><item><title>AWS RDS DB Instance or Cluster Deleted</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-rds-deletion/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-rds-deletion/</guid><description>An adversary with sufficient permissions may delete RDS resources such as DB instances or clusters to impede recovery, destroy evidence, or inflict operational impact on the environment.</description><content:encoded><![CDATA[<p>The deletion of Amazon RDS DB instances, Aurora clusters, or global database clusters can lead to permanent data loss and major service disruption. This activity is often carried out by adversaries who have gained sufficient permissions within an AWS environment. The motivation behind such actions can range from impeding recovery efforts following a ransomware attack, destroying critical evidence to hinder forensic investigations, or directly inflicting operational impact on the targeted environment. Defenders should be aware that these actions are irreversible without backups, making swift detection and validation essential to mitigate potential damage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An adversary gains initial access to the AWS environment, potentially through compromised credentials or an IAM role with excessive permissions.</li>
<li>The attacker enumerates existing RDS DB instances, Aurora clusters, or global database clusters within the target AWS account to identify valuable targets.</li>
<li>The attacker modifies the deletionProtection setting on the target RDS resource to <code>false</code> to allow deletion.</li>
<li>The attacker may disable or modify backup configurations to prevent recovery options, such as setting backupRetentionPeriod to <code>0</code>.</li>
<li>The attacker executes the <code>DeleteDBInstance</code>, <code>DeleteDBCluster</code>, or <code>DeleteGlobalCluster</code> API call to initiate the deletion process.</li>
<li>If configured, the attacker may attempt to delete any final snapshots created during the deletion process to further hinder recovery.</li>
<li>The targeted RDS resource is permanently deleted, resulting in data loss and potential service disruption.</li>
<li>The attacker may attempt to cover their tracks by deleting relevant CloudTrail logs or modifying IAM policies.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The deletion of RDS DB instances or clusters can lead to significant data loss, disrupting critical business operations. Depending on the size and importance of the deleted resources, organizations may face substantial financial losses, reputational damage, and regulatory penalties. If backups are unavailable or have also been compromised, data recovery may be impossible, leading to long-term business disruption. The impact can affect organizations of any size that rely on AWS RDS for data storage and retrieval.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS RDS DB Instance or Cluster Deleted</code> to your SIEM and tune for your environment to detect unauthorized RDS resource deletions.</li>
<li>Enable deletionProtection on all critical RDS instances and clusters to prevent accidental or malicious deletion.</li>
<li>Enforce MFA for IAM users with RDS privileges to reduce the risk of compromised credentials (reference the additional information links).</li>
<li>Monitor CloudTrail logs for changes to deletionProtection settings and backup retention policies.</li>
<li>Regularly review and audit IAM policies to ensure that users and roles have only the necessary permissions.</li>
<li>Implement a process for validating unexpected RDS resource deletions with the service owner or database administrator.</li>
<li>Enable Sysmon process-creation logging to correlate with CloudTrail logs in case CLI or SDK tools are used for deletion.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>rds</category><category>datadestruction</category></item><item><title>AWS RDS Master User Password Reset Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-rds-password-reset/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-rds-password-reset/</guid><description>Detection of unauthorized master user password resets for Amazon RDS DB instances via AWS CloudTrail logs, potentially leading to sensitive data access and data breaches.</description><content:encoded><![CDATA[<p>This analytic detects the resetting of the master user password for an Amazon RDS DB instance. The detection leverages AWS CloudTrail logs ingested via Amazon Security Lake to identify events where the <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> API calls include a new <code>masterUserPassword</code> parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, which may contain sensitive information such as credit card numbers, PII, or protected health information. If the password reset is confirmed to be malicious, it could lead to data breaches, regulatory non-compliance, and significant reputational damage. This detection is based on version 8 of the Splunk Security Content analytic &quot;ASL AWS Credential Access RDS Password reset&quot; published on April 15, 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, potentially through compromised credentials (T1110) or phishing (T1586.003).</li>
<li>The attacker leverages the AWS Management Console or AWS CLI to interact with the RDS service.</li>
<li>The attacker issues a <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> API call.</li>
<li>Within the <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> API call, the attacker includes the <code>masterUserPassword</code> parameter.</li>
<li>The RDS service processes the request and resets the master user password for the specified database instance or cluster.</li>
<li>The attacker uses the newly reset master user password to authenticate to the RDS database instance.</li>
<li>The attacker gains access to sensitive data stored within the RDS database.</li>
<li>The attacker exfiltrates or manipulates the data for malicious purposes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack resulting in unauthorized password reset can lead to a complete compromise of the RDS database instance. This could result in data breaches with millions of records exposed, regulatory fines for non-compliance (e.g., GDPR, HIPAA), and severe reputational damage affecting customer trust and stock prices. Sectors heavily reliant on RDS databases, such as finance, healthcare, and e-commerce, are particularly vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS RDS Master User Password Reset</code> to your SIEM and tune for your environment using AWS CloudTrail logs ingested via Amazon Security Lake.</li>
<li>Investigate any detected instances of <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> API calls containing the <code>masterUserPassword</code> parameter by pivoting to the originating IP address (<code>src_endpoint.ip</code>) and user agent (<code>http_request.user_agent</code>) from the Sigma rule.</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts, especially those with permissions to manage RDS instances, to mitigate compromised credential attacks (T1110).</li>
<li>Review and enforce the principle of least privilege for IAM roles, ensuring that users only have the necessary permissions to perform their job functions.</li>
<li>Monitor AWS CloudTrail logs for other suspicious API calls related to RDS, such as modifications to security groups or network ACLs.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>credential-access</category><category>rds</category></item></channel></rss>