Potential database port open to the world via AWS security group










이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.


Detect when an AWS security group is opened to the world on a port commonly associated with a database service.


Monitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:

This rule inspects the @requestParameters.ipPermissions.items.ipRanges.items.cidrIp or @requestParameters.cidrIp array to determine if either of the strings are contained - or ::/0 for the following ports:

  • 1433 (MSSQL)
  • 3306 (MySQL)
  • 5432 (PostgresSQL)
  • 5984/6984 (CouchDB)
  • 6379 (Redis)
  • 9200 (Elasticsearch)
  • 27017 (MongoDB)

Database ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.

Note: A separate rule to detect AWS Security Group Open to the World.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate the user credentials.
  • Determine what other API calls were made by the user.
  • Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.
  1. If the API call was made legitimately by the user:
  • Advise the user to modify the IP range to the company private network or bastion host.
  1. Revert security group configuration back to known good state if required:


15 December 2022 - Updated rule query and severity.