< Back to rules searchAWS RDS Cluster deleted
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when a user deleted a database cluster in RDS.
Strategy
This rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:
Triage and response
- Determine if the API call: {{@evt.name}} should have occurred.
- If it shouldn’t have been made:
- Contact the user: {{@userIdentity.arn}} and see if they made the API call.
- If the API call was not made by the user:
- Rotate the user credentials.
- Determine what other API calls were made with the old credentials that were not made by the user.
Changelog
6 April 2022 - Updated rule and signal message.