---
title: Possible RDS Snapshot exfiltration
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Possible RDS Snapshot exfiltration
---

# Possible RDS Snapshot exfiltration
Classification:attackTactic:[TA0010-exfiltration](https://attack.mitre.org/tactics/TA0010)Technique:[T1537-transfer-data-to-cloud-account](https://attack.mitre.org/techniques/T1537) 
## Goal{% #goal %}

Detect a user attempting to exfiltrate data from an RDS Snapshot.

## Strategy{% #strategy %}

This rule lets you monitor [ModifyDBClusterSnapshotAttribute](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster-snapshot-attribute.html#modify-db-cluster-snapshot-attribute) CloudTrail API calls to detect when an RDS snapshot is made public or shared with an AWS account.

This rule also inspects the:

- `@requestParameters.valuesToAdd` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.
- `@requestParameters.attributeName` array to determine if the string `restore` is contained. This is the indicator which means the RDS snapshot was shared with a new or unknown AWS Account.

## Triage and response{% #triage-and-response %}

1. Confirm if the user: `{{@userIdentity.arn}}` intended to make the RDS snaphsot public.
1. If the user did not make the API call:
   - Rotate the credentials.
   - Investigate if the same credentials made other unauthorized API calls.

## Changelog{% #changelog %}

11 October 2022 - Updated severity.