AWS RDS Snapshot Export

 1[metadata]
 2creation_date = "2021/06/06"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic", "Austin Songer"]
 9description = "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot."
10false_positives = [
11    """
12    Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent,
13    and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should
14    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
15    """,
16]
17from = "now-60m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19interval = "10m"
20language = "kuery"
21license = "Elastic License v2"
22name = "AWS RDS Snapshot Export"
23note = """## Triage and analysis
24
25> **Disclaimer**:
26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
27
28### Investigating AWS RDS Snapshot Export
29
30Amazon RDS Snapshot Export allows users to export Aurora database snapshots to Amazon S3, facilitating data analysis and backup. However, adversaries may exploit this feature to exfiltrate sensitive data by exporting snapshots without authorization. The detection rule monitors successful export tasks in AWS CloudTrail logs, flagging potential misuse by identifying unexpected or unauthorized snapshot exports.
31
32### Possible investigation steps
33
34- Review the AWS CloudTrail logs for the specific event.action:StartExportTask to identify the user or role that initiated the export task.
35- Check the event.provider:rds.amazonaws.com logs to verify the source IP address and location from which the export task was initiated, looking for any anomalies or unexpected locations.
36- Investigate the event.dataset:aws.cloudtrail logs to determine the specific database snapshot that was exported and assess its sensitivity or criticality.
37- Cross-reference the event.outcome:success with IAM policies and permissions to ensure the user or role had legitimate access to perform the export task.
38- Analyze any recent changes in IAM roles or policies that might have inadvertently granted export permissions to unauthorized users.
39- Contact the data owner or relevant stakeholders to confirm whether the export task was authorized and aligns with business needs.
40
41### False positive analysis
42
43- Routine data exports for legitimate business purposes may trigger alerts. Users should review export tasks to confirm they align with expected business operations and consider whitelisting known, authorized export activities.
44- Automated backup processes that regularly export snapshots to S3 can be mistaken for unauthorized actions. Identify and document these processes, then create exceptions in the monitoring system to prevent false alerts.
45- Development and testing environments often involve frequent snapshot exports for testing purposes. Ensure these environments are clearly identified and excluded from alerts by setting up specific rules or tags that differentiate them from production environments.
46- Exports initiated by third-party services or integrations that have been granted access to RDS snapshots might be flagged. Verify these integrations and adjust the detection rule to recognize and exclude these trusted services.
47
48### Response and remediation
49
50- Immediately revoke access to the AWS account or IAM role that initiated the unauthorized snapshot export to prevent further data exfiltration.
51- Conduct a thorough review of AWS CloudTrail logs to identify any other unauthorized activities associated with the same account or IAM role, and assess the scope of the potential data breach.
52- Notify the security team and relevant stakeholders about the incident, providing details of the unauthorized export and any other suspicious activities discovered.
53- Restore the affected database from a known good backup if data integrity is suspected to be compromised, ensuring that the restored data is free from unauthorized changes.
54- Implement stricter IAM policies and permissions to limit who can perform snapshot exports, ensuring that only authorized personnel have the necessary permissions.
55- Enhance monitoring and alerting mechanisms to detect any future unauthorized snapshot export attempts, ensuring timely response to similar threats.
56- Conduct a post-incident review to identify gaps in security controls and update incident response plans to improve readiness for future incidents.
57
58## Setup
59
60The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
61references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"]
62risk_score = 21
63rule_id = "119c8877-8613-416d-a98a-96b6664ee73a"
64severity = "low"
65tags = [
66    "Domain: Cloud",
67    "Data Source: AWS",
68    "Data Source: Amazon Web Services",
69    "Use Case: Asset Visibility",
70    "Tactic: Exfiltration",
71    "Resources: Investigation Guide",
72]
73timestamp_override = "event.ingested"
74type = "query"
75
76query = '''
77event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success
78'''
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83
84[rule.threat.tactic]
85id = "TA0010"
86name = "Exfiltration"
87reference = "https://attack.mitre.org/tactics/TA0010/"