Potential database port open to the world via AWS security group

cloudtrail

Classification:

compliance

Tactic:

Technique:

Framework:

cis-aws

Control:

4.10

Goal

Detect when an AWS security group is opened to the world on a port commonly associated with a database service.

Strategy

Monitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:

This rule inspects the @requestParameters.ipPermissions.items.ipRanges.items.cidrIp or @requestParameters.cidrIp array to determine if either of the strings are contained - 0.0.0.0/0 or ::/0 for the following ports:

  • 1433 (MSSQL)
  • 3306 (MySQL)
  • 5432 (PostgresSQL)
  • 5984/6984 (CouchDB)
  • 6379 (Redis)
  • 9200 (Elasticsearch)
  • 27017 (MongoDB)

Database ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.

Note: A separate rule to detect AWS Security Group Open to the World.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate the user credentials.
  • Determine what other API calls were made by the user.
  • Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.
  1. If the API call was made legitimately by the user:
  • Advise the user to modify the IP range to the company private network or bastion host.
  1. Revert security group configuration back to known good state if required:

Changelog

15 December 2022 - Updated rule query and severity.