AWS RDS Snapshot Export

  1[metadata]
  2creation_date = "2021/06/06"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/11/24"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies the export of a DB snapshot or DB cluster data to Amazon S3. Snapshot exports can be used for analytics or
 11migration workflows, but adversaries may abuse them to exfiltrate sensitive data outside of RDS-managed storage.
 12Exporting a snapshot creates a portable copy of the database contents, which, if performed without authorization, can
 13indicate data theft, staging for exfiltration, or operator misconfiguration that exposes regulated information.
 14"""
 15false_positives = [
 16    """
 17    Snapshot exports may be performed by administrators, automation pipelines, or data engineering workflows. Confirm
 18    whether the export was expected and initiated by an authorized user, role, or automation process. Snapshot exports
 19    by unfamiliar principals or from unexpected networks should be investigated. If known behavior causes false
 20    positives, it can be exempted from the rule.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS RDS Snapshot Export"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance.  
 32> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.
 33
 34### Investigating AWS RDS Snapshot Export
 35
 36Exporting an RDS snapshot to Amazon S3 allows the full contents of a database to be written outside the managed
 37RDS service boundary. While legitimate for analytics or migration, this action can also be a mechanism for data
 38exfiltration. Because snapshot exports produce files that can be downloaded, shared, or accessed by other AWS principals,
 39unauthorized exports may indicate staging for data theft or attempts to bypass database access controls.
 40
 41This rule detects successful `StartExportTask` events. Activity of this type should be validated to ensure that only
 42authorized database, platform engineering, or analytics workflows initiated the export.
 43
 44#### Possible investigation steps
 45
 46- **Identify the actor and context**
 47  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine which principal initiated the export.
 48  - Look at `source.ip`, `user.name`, and `user_agent.original` to understand where the export originated (console, CLI, SDK, automation).
 49  - Check whether the principal has historically performed snapshot exports.
 50
 51- **Determine what was exported**
 52  - Examine `aws.cloudtrail.request_parameters`:
 53    - Snapshot identifier being exported.
 54    - S3 bucket name and path.
 55    - KMS key used (or absence of encryption).
 56  - Map the snapshot and destination bucket to:
 57    - Application/owner team.
 58    - Environment (prod/staging/dev).
 59    - Data classification (PII, PHI, PCI, internal).
 60
 61- **Reconstruct timing and surrounding context**
 62  - Use `@timestamp` to correlate the export with:
 63    - Recent RDS modifications (`ModifyDBInstance`, `ModifyDBCluster`), snapshot deletions, or retention changes.
 64    - IAM role changes, access key issuance, or privilege escalation attempts.
 65    - Unusual authentication patterns (e.g., successful logins from new locations, failed console logins).
 66  - Check whether the export timing aligns with approved deployments or maintenance windows.
 67
 68- **Correlate with broader CloudTrail activity**
 69  - Pivot on the same user, role, or access key ID to look for:
 70    - Prior reconnaissance (e.g., `DescribeDBSnapshots`, `DescribeDBClusters`, `ListBuckets`).
 71    - Permission changes (`PutRolePolicy`, `AttachUserPolicy`).
 72    - Public exposure (e.g., S3 bucket ACL changes).
 73  - Determine whether multiple snapshots were exported around the same time.
 74
 75- **Validate intent with stakeholders**
 76  - Confirm with the database owner, analytics team, or platform engineering team whether:
 77    - The export was planned and authorized.
 78    - The target S3 bucket is approved for storing database contents.
 79    - Encryption and access controls meet organizational policy.
 80
 81### False positive analysis
 82
 83- **Authorized data analytics or ETL workflows**
 84  - Many organizations export snapshots for reporting, ML pipelines, or external data processing.
 85  - Validate that the export aligns with documented ETL or analytics processes.
 86
 87- **Automated snapshot export tools**
 88  - Backup pipelines, cost optimization, or data replication systems may export snapshots.
 89  - Tune the rule by excluding known IAM roles or automation user agents.
 90
 91- **CloudFormation or IaC triggers**
 92  - Infrastructure-as-code pipelines may trigger snapshot exports as part of stack updates.
 93  - Correlate with CloudFormation events to confirm legitimacy.
 94
 95### Response and remediation
 96
 97- **Contain potential exfiltration**
 98  - Review access to the destination S3 bucket and confirm that:
 99    - Bucket is encrypted with the expected KMS key.
100    - Access is restricted to authorized principals.
101    - No unusual downloads or cross-account accesses occurred.
102
103- **Investigate scope and impact**
104  - Use CloudTrail to enumerate:
105    - All export tasks started by the same actor.
106    - Other snapshot or data-access API calls in the same time window.
107  - Validate whether sensitive or regulated data may have been included.
108
109- **Credential and access remediation**
110  - If activity appears unauthorized:
111    - Revoke or rotate compromised IAM credentials.
112    - Review STS session activity related to the actor.
113    - Inspect IAM role policies for privilege escalation.
114
115- **Hardening and preventive controls**
116  - Restrict the ability to call `StartExportTask` using:
117    - IAM least-privilege policies.
118    - Service Control Policies (SCPs) in production accounts.
119    - Conditional IAM (e.g., requiring MFA, restricting by VPC endpoint or IP range).
120  - Enable guardrails:
121    - AWS Config/Security Hub controls for monitoring snapshot policy changes.
122    - Alerts for exports to buckets outside approved accounts.
123
124### Additional information
125
126- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
127- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
128- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
129
130"""
131references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"]
132risk_score = 21
133rule_id = "119c8877-8613-416d-a98a-96b6664ee73a"
134severity = "low"
135tags = [
136    "Domain: Cloud",
137    "Data Source: AWS",
138    "Data Source: Amazon Web Services",
139    "Use Case: Asset Visibility",
140    "Tactic: Collection",
141    "Tactic: Exfiltration",
142    "Resources: Investigation Guide",
143]
144timestamp_override = "event.ingested"
145type = "query"
146
147query = '''
148event.dataset: aws.cloudtrail 
149    and event.provider: rds.amazonaws.com 
150    and event.action: StartExportTask 
151    and event.outcome: success
152'''
153
154
155[[rule.threat]]
156framework = "MITRE ATT&CK"
157
158[rule.threat.tactic]
159id = "TA0010"
160name = "Exfiltration"
161reference = "https://attack.mitre.org/tactics/TA0010/"
162[[rule.threat]]
163framework = "MITRE ATT&CK"
164[[rule.threat.technique]]
165id = "T1213"
166name = "Data from Information Repositories"
167reference = "https://attack.mitre.org/techniques/T1213/"
168[[rule.threat.technique.subtechnique]]
169id = "T1213.006"
170name = "Databases"
171reference = "https://attack.mitre.org/techniques/T1213/006/"
172
173
174
175[rule.threat.tactic]
176id = "TA0009"
177name = "Collection"
178reference = "https://attack.mitre.org/tactics/TA0009/"
179
180[rule.investigation_fields]
181field_names = [
182    "@timestamp",
183    "user.name",
184    "user_agent.original",
185    "source.ip",
186    "aws.cloudtrail.user_identity.arn",
187    "aws.cloudtrail.user_identity.type",
188    "aws.cloudtrail.user_identity.access_key_id",
189    "event.action",
190    "event.outcome",
191    "cloud.account.id",
192    "cloud.region",
193    "aws.cloudtrail.request_parameters",
194    "aws.cloudtrail.response_elements",
195]