Possible RDS Snapshot exfiltration
Goal
Detect a user attempting to exfiltrate data from an RDS Snapshot.
Strategy
This rule lets you monitor ModifyDBClusterSnapshotAttribute CloudTrail API calls to detect when an RDS snapshot is made public or shared with an AWS account.
This rule also inspects the:
@requestParameters.valuesToAdd
array to determine if the string all
is contained. This is the indicator which means the RDS snapshot is made public.@requestParameters.attributeName
array to determine if the string restore
is contained. This is the indicator which means the RDS snapshot was shared with a new or unknown AWS Account.
Triage and response
- Confirm if the user:
{{@userIdentity.arn}}
intended to make the RDS snaphsot public. - If the user did not make the API call:
- Rotate the credentials.
- Investigate if the same credentials made other unauthorized API calls.
Changelog
11 October 2022 - Updated severity.