<  Back to rules search

Possible RDS Snapshot Exfiltration

cloudtrail

Classification:

compliance

Tactic:

Technique:

Goal

Detect a user attempting to exfiltrate data from an RDS Snapshot.

Strategy

This rule lets you monitor the ModifyDBClusterSnapshotAttribute CloudTrail API calls to detect when an RDS snapshot is made public.

This rule also inspects the:

  • @requestParameters.valuesToAdd array to determine if the string all is contained. This is the indicator which means the RDS snapshot is made public.
  • @requestParameters.attributeName array to determine if the string restore is contained. This is the indicator which means the RDS snapshot was shared with a new or unkown AWS Account.

Triage and response

  1. Confirm if the user: {{@userIdentity.arn}}intended to make the RDS snaphsot public.
  2. If the user did not make the API call:
  • Rotate the credentials.
  • Investigate if the same credentials made other unauthorized API calls.

Changelog

  • 11 October 2022 - updated severity.