AWS RDS Cluster deleted

cloudtrail

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1485-data-destruction

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user deleted a database cluster in RDS.

Strategy

This rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:

Triage and response

  1. Determine if the API call: {{@evt.name}} should have occurred.
  2. If it shouldn’t have been made:
    • Contact the user: {{@userIdentity.arn}} and see if they made the API call.
  3. If the API call was not made by the user:
    • Rotate the user credentials.
    • Determine what other API calls were made with the old credentials that were not made by the user.

Changelog

6 April 2022 - Updated rule and signal message.