Potential database port open to the world via AWS security group

cloudtrail

Classification:

compliance

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Framework:

cis-aws

Control:

4.10

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an AWS security group is opened to the world on a port commonly associated with a database service.

Strategy

Monitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:

This rule inspects the @requestParameters.ipPermissions.items.ipRanges.items.cidrIp or @requestParameters.cidrIp array to determine if either of the strings are contained - 0.0.0.0/0 or ::/0 for the following ports:

  • 1433 (MSSQL)
  • 3306 (MySQL)
  • 5432 (PostgresSQL)
  • 5984/6984 (CouchDB)
  • 6379 (Redis)
  • 9200 (Elasticsearch)
  • 27017 (MongoDB)

Database ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.

Note: A separate rule to detect AWS Security Group Open to the World.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate the user credentials.
  • Determine what other API calls were made by the user.
  • Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.
  1. If the API call was made legitimately by the user:
  • Advise the user to modify the IP range to the company private network or bastion host.
  1. Revert security group configuration back to known good state if required:

Changelog

15 December 2022 - Updated rule query and severity.