AWS RDS DB Instance Restored

  1[metadata]
  2creation_date = "2021/06/29"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/21"
  6
  7[rule]
  8author = ["Austin Songer", "Elastic"]
  9description = """
 10Identifies the restoration of an AWS RDS database instance from a snapshot or S3 backup. Adversaries with access to
 11valid credentials may restore copies of existing databases to bypass logging and monitoring controls or to exfiltrate
 12sensitive data from a duplicated environment. This rule detects successful restoration operations using
 13"RestoreDBInstanceFromDBSnapshot" or "RestoreDBInstanceFromS3", which may indicate unauthorized data access or
 14post-compromise defense evasion.
 15"""
 16false_positives = [
 17    """
 18    Restoring an RDS DB instance may be performed legitimately during troubleshooting, development refresh processes,
 19    migrations, or disaster-recovery drills. Validate the user identity, source IP, automation context, and whether the
 20    restoration aligns with a known maintenance or testing workflow before treating the event as suspicious. Expected
 21    behavior can be exempted through rule exceptions.
 22    """,
 23]
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS RDS DB Instance Restored"
 28note = """## Triage and analysis
 29
 30### Investigating AWS RDS DB Instance Restored
 31
 32Restoring an RDS DB instance from a snapshot or from S3 is a powerful operation that recreates a full database environment. While legitimate for recovery, migrations, or cloning, adversaries may use restore actions to access historical data, duplicate sensitive environments, evade guardrails, or prepare for data exfiltration. 
 33
 34This rule detects successful invocation of `RestoreDBInstanceFromDBSnapshot` and `RestoreDBInstanceFromS3`, both of which may indicate attempts to rehydrate old datasets, bypass deletion protection, or establish a shadow environment for further malicious actions.
 35
 36#### Possible investigation steps
 37
 38- **Identify the actor and execution context**
 39  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.access_key_id`.
 40  - Check `user.name`, `source.ip`, and `user_agent.original` to determine how the restore was executed (console, CLI, automation, SDK).
 41
 42- **Understand what was restored and why**
 43  - Inspect `aws.cloudtrail.request_parameters` to identify:
 44    - Snapshot identifier or S3 location used as the restore source.
 45    - The new DB instance identifier and configuration parameters.
 46  - Determine:
 47    - Whether the snapshot/backup used for the restore contains sensitive or high-value data.
 48    - Whether this restore created a publicly accessible instance, changed security groups, or used unusual storage/instance classes.
 49
 50- **Reconstruct the activity flow**
 51  - Use `@timestamp` to correlate the restore event with:
 52    - Snapshot creation, copy, or export events.
 53    - IAM policy changes or privilege escalations.
 54    - Deletion or modification of the original database.
 55    - Other RDS lifecycle actions such as `ModifyDBInstance`, `DeleteDBInstance`, or backup configuration changes.
 56  - Look for signs of attacker staging:
 57    - Prior enumeration activity (`DescribeDBSnapshots`, `DescribeDBInstances`).
 58    - Recent logins from unusual IPs or federated sessions without MFA.
 59
 60- **Correlate with broader behavior**
 61  - Pivot in CloudTrail on:
 62    - The same snapshot identifier.
 63    - The same actor or access key ID.
 64    - The newly created DB instance identifier.
 65  - Examine:
 66    - Whether the restored DB was modified immediately after (e.g., security groups opened, deletion protection disabled).
 67    - Whether there were large-volume read operations or export actions following the restore.
 68    - Whether the restore is part of a pattern of parallel suspicious activity (snapshot copying, S3 backups, cross-account actions).
 69
 70- **Validate intent with owners**
 71  - Confirm with the application/database/platform teams:
 72    - Whether the restore was requested or part of an authorized operational workflow.
 73    - Whether this restore corresponds to migration, testing, DR drill, or another planned activity.
 74    - Whether the restored environment should exist (and for how long).
 75
 76### False positive analysis
 77
 78- **Legitimate maintenance and DR workflows**
 79  - Many teams restore databases for patch testing, DR validation, schema testing, or migration.
 80- **Automated restore workflows**
 81  - CI/CD pipelines or internal automation may restore DBs to generate staging or dev environments.
 82- **Third-party tooling**
 83  - Backup/DR solutions, migration tools, or observability platforms may restore DB instances for operational reasons. Tune based on `user_agent.original` or known service roles.
 84
 85### Response and remediation
 86
 87- **Contain the restored environment**
 88  - If unauthorized:
 89    - Apply restrictive security groups to block access.
 90    - Disable public accessibility if enabled.
 91    - Evaluate whether deletion protection or backup retention is misconfigured.
 92
 93- **Assess data exposure and intent**
 94  - Work with data owners to evaluate:
 95    - The sensitivity of the restored environment.
 96    - Whether any reads, dumps, or exports occurred post-restore.
 97    - Whether the restore enabled the attacker to access older or deleted data.
 98
 99- **Investigate scope and related activity**
100  - Review CloudTrail for:
101    - Additional restores, exports, or copies.
102    - IAM changes allowing expanded privileges.
103    - Unusual authentication events or federated sessions without MFA.
104    - Related destructive actions (snapshot deletion, backup disabled, instance deletion).
105
106- **Hardening and preventive controls**
107  - Enforce least privilege for `rds:RestoreDBInstanceFromDBSnapshot` and `rds:RestoreDBInstanceFromS3`.
108  - Use IAM conditions to restrict restore actions by network, principal, or region.
109  - Add AWS Config and Security Hub controls for monitoring:
110    - Unapproved restores.
111    - Public or misconfigured restored instances.
112  - Consider SCPs that prevent RDS restores in production accounts except through controlled roles.
113
114- **Post-incident improvements**
115  - Rotate credentials for affected IAM users/roles.
116  - Update change management processes to ensure restore actions are tracked and approved.
117  - Adjust rule exceptions sparingly and ensure high-risk restores continue to generate alerts.
118
119### Additional information
120
121- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
122- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
123- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
124"""
125references = [
126    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html",
127    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromS3.html",
128    "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py",
129    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-createdbsnapshot-rds-restoredbinstancefromdbsnapshot-rds-modifydbinstance",
130]
131risk_score = 47
132rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204"
133severity = "medium"
134tags = [
135    "Domain: Cloud",
136    "Data Source: AWS",
137    "Data Source: Amazon Web Services",
138    "Data Source: AWS RDS",
139    "Use Case: Asset Visibility",
140    "Tactic: Defense Evasion",
141    "Resources: Investigation Guide",
142]
143timestamp_override = "event.ingested"
144type = "query"
145
146query = '''
147event.dataset: "aws.cloudtrail"
148    and event.provider: "rds.amazonaws.com"
149    and event.action: ("RestoreDBInstanceFromDBSnapshot" or "RestoreDBInstanceFromS3")
150    and event.outcome: "success"
151'''
152
153
154[[rule.threat]]
155framework = "MITRE ATT&CK"
156[[rule.threat.technique]]
157id = "T1578"
158name = "Modify Cloud Compute Infrastructure"
159reference = "https://attack.mitre.org/techniques/T1578/"
160[[rule.threat.technique.subtechnique]]
161id = "T1578.002"
162name = "Create Cloud Instance"
163reference = "https://attack.mitre.org/techniques/T1578/002/"
164
165[[rule.threat.technique.subtechnique]]
166id = "T1578.004"
167name = "Revert Cloud Instance"
168reference = "https://attack.mitre.org/techniques/T1578/004/"
169
170
171
172[rule.threat.tactic]
173id = "TA0005"
174name = "Defense Evasion"
175reference = "https://attack.mitre.org/tactics/TA0005/"
176
177[rule.investigation_fields]
178field_names = [
179    "@timestamp",
180    "user.name",
181    "user_agent.original",
182    "source.ip",
183    "aws.cloudtrail.user_identity.arn",
184    "aws.cloudtrail.user_identity.type",
185    "aws.cloudtrail.user_identity.access_key_id",
186    "event.action",
187    "event.outcome",
188    "cloud.account.id",
189    "cloud.region",
190    "aws.cloudtrail.request_parameters",
191    "aws.cloudtrail.response_elements",
192]