< Back to rules search
AWS RDS Cluster deleted
Set up the cloudtrail integration.
Detect when an attacker is destroying a RDS Cluster.
This rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:
Triage & Response
- Determine which user in your organization owns the API key that made this API call.
- Contact the user to see if they intended to make this API call.
- If the user did not make the API call:
- Rotate the credentials.
- Investigate if the same credentials made other unauthorized API calls.