Potential database port open to the world via AWS security group
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an AWS security group is opened to the world on a port commonly associated with a database service.
Strategy
Monitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:
This rule inspects the @requestParameters.ipPermissions.items.ipRanges.items.cidrIp
or @requestParameters.cidrIp
array to determine if either of the strings are contained - 0.0.0.0/0
or ::/0
for the following ports:
- 1433 (MSSQL)
- 3306 (MySQL)
- 5432 (PostgresSQL)
- 5984/6984 (CouchDB)
- 6379 (Redis)
- 9200 (Elasticsearch)
- 27017 (MongoDB)
Database ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.
Note: A separate rule to detect AWS Security Group Open to the World.
Triage and response
- Determine if
{{@userIdentity.session_name}}
should have made a {{@evt.name}}
API call. - If the API call was not made by the user:
- Rotate the user credentials.
- Determine what other API calls were made by the user.
- Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.
- If the API call was made legitimately by the user:
- Advise the user to modify the IP range to the company private network or bastion host.
- Revert security group configuration back to known good state if required:
Changelog
15 December 2022 - Updated rule query and severity.