AWS RDS Snapshot Export

  1[metadata]
  2creation_date = "2021/06/06"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/16"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies the export of a DB snapshot or DB cluster data to Amazon S3. Snapshot exports can be used for analytics or
 11migration workflows, but adversaries may abuse them to exfiltrate sensitive data outside of RDS-managed storage.
 12Exporting a snapshot creates a portable copy of the database contents, which, if performed without authorization, can
 13indicate data theft, staging for exfiltration, or operator misconfiguration that exposes regulated information.
 14"""
 15false_positives = [
 16    """
 17    Snapshot exports may be performed by administrators, automation pipelines, or data engineering workflows. Confirm
 18    whether the export was expected and initiated by an authorized user, role, or automation process. Snapshot exports
 19    by unfamiliar principals or from unexpected networks should be investigated. If known behavior causes false
 20    positives, it can be exempted from the rule.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS RDS Snapshot Export"
 28note = """## Triage and analysis
 29
 30### Investigating AWS RDS Snapshot Export
 31
 32Exporting an RDS snapshot to Amazon S3 allows the full contents of a database to be written outside the managed
 33RDS service boundary. While legitimate for analytics or migration, this action can also be a mechanism for data
 34exfiltration. Because snapshot exports produce files that can be downloaded, shared, or accessed by other AWS principals,
 35unauthorized exports may indicate staging for data theft or attempts to bypass database access controls.
 36
 37This rule detects successful `StartExportTask` events. Activity of this type should be validated to ensure that only
 38authorized database, platform engineering, or analytics workflows initiated the export.
 39
 40#### Possible investigation steps
 41
 42- **Identify the actor and context**
 43  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine which principal initiated the export.
 44  - Look at `source.ip`, `user.name`, and `user_agent.original` to understand where the export originated (console, CLI, SDK, automation).
 45  - Check whether the principal has historically performed snapshot exports.
 46
 47- **Determine what was exported**
 48  - Examine `aws.cloudtrail.request_parameters`:
 49    - Snapshot identifier being exported.
 50    - S3 bucket name and path.
 51    - KMS key used (or absence of encryption).
 52  - Map the snapshot and destination bucket to:
 53    - Application/owner team.
 54    - Environment (prod/staging/dev).
 55    - Data classification (PII, PHI, PCI, internal).
 56
 57- **Reconstruct timing and surrounding context**
 58  - Use `@timestamp` to correlate the export with:
 59    - Recent RDS modifications (`ModifyDBInstance`, `ModifyDBCluster`), snapshot deletions, or retention changes.
 60    - IAM role changes, access key issuance, or privilege escalation attempts.
 61    - Unusual authentication patterns (e.g., successful logins from new locations, failed console logins).
 62  - Check whether the export timing aligns with approved deployments or maintenance windows.
 63
 64- **Correlate with broader CloudTrail activity**
 65  - Pivot on the same user, role, or access key ID to look for:
 66    - Prior reconnaissance (e.g., `DescribeDBSnapshots`, `DescribeDBClusters`, `ListBuckets`).
 67    - Permission changes (`PutRolePolicy`, `AttachUserPolicy`).
 68    - Public exposure (e.g., S3 bucket ACL changes).
 69  - Determine whether multiple snapshots were exported around the same time.
 70
 71- **Validate intent with stakeholders**
 72  - Confirm with the database owner, analytics team, or platform engineering team whether:
 73    - The export was planned and authorized.
 74    - The target S3 bucket is approved for storing database contents.
 75    - Encryption and access controls meet organizational policy.
 76
 77### False positive analysis
 78
 79- **Authorized data analytics or ETL workflows**
 80  - Many organizations export snapshots for reporting, ML pipelines, or external data processing.
 81  - Validate that the export aligns with documented ETL or analytics processes.
 82
 83- **Automated snapshot export tools**
 84  - Backup pipelines, cost optimization, or data replication systems may export snapshots.
 85  - Tune the rule by excluding known IAM roles or automation user agents.
 86
 87- **CloudFormation or IaC triggers**
 88  - Infrastructure-as-code pipelines may trigger snapshot exports as part of stack updates.
 89  - Correlate with CloudFormation events to confirm legitimacy.
 90
 91### Response and remediation
 92
 93- **Contain potential exfiltration**
 94  - Review access to the destination S3 bucket and confirm that:
 95    - Bucket is encrypted with the expected KMS key.
 96    - Access is restricted to authorized principals.
 97    - No unusual downloads or cross-account accesses occurred.
 98
 99- **Investigate scope and impact**
100  - Use CloudTrail to enumerate:
101    - All export tasks started by the same actor.
102    - Other snapshot or data-access API calls in the same time window.
103  - Validate whether sensitive or regulated data may have been included.
104
105- **Credential and access remediation**
106  - If activity appears unauthorized:
107    - Revoke or rotate compromised IAM credentials.
108    - Review STS session activity related to the actor.
109    - Inspect IAM role policies for privilege escalation.
110
111- **Hardening and preventive controls**
112  - Restrict the ability to call `StartExportTask` using:
113    - IAM least-privilege policies.
114    - Service Control Policies (SCPs) in production accounts.
115    - Conditional IAM (e.g., requiring MFA, restricting by VPC endpoint or IP range).
116  - Enable guardrails:
117    - AWS Config/Security Hub controls for monitoring snapshot policy changes.
118    - Alerts for exports to buckets outside approved accounts.
119
120### Additional information
121
122- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
123- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
124- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
125
126"""
127references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"]
128risk_score = 21
129rule_id = "119c8877-8613-416d-a98a-96b6664ee73a"
130severity = "low"
131tags = [
132    "Domain: Cloud",
133    "Data Source: AWS",
134    "Data Source: Amazon Web Services",
135    "Use Case: Asset Visibility",
136    "Tactic: Collection",
137    "Tactic: Exfiltration",
138    "Resources: Investigation Guide",
139]
140timestamp_override = "event.ingested"
141type = "query"
142
143query = '''
144event.dataset: aws.cloudtrail 
145    and event.provider: rds.amazonaws.com 
146    and event.action: StartExportTask 
147    and event.outcome: success
148'''
149
150
151[[rule.threat]]
152framework = "MITRE ATT&CK"
153
154[rule.threat.tactic]
155id = "TA0010"
156name = "Exfiltration"
157reference = "https://attack.mitre.org/tactics/TA0010/"
158[[rule.threat]]
159framework = "MITRE ATT&CK"
160[[rule.threat.technique]]
161id = "T1213"
162name = "Data from Information Repositories"
163reference = "https://attack.mitre.org/techniques/T1213/"
164[[rule.threat.technique.subtechnique]]
165id = "T1213.006"
166name = "Databases"
167reference = "https://attack.mitre.org/techniques/T1213/006/"
168
169
170
171[rule.threat.tactic]
172id = "TA0009"
173name = "Collection"
174reference = "https://attack.mitre.org/tactics/TA0009/"
175
176[rule.investigation_fields]
177field_names = [
178    "@timestamp",
179    "user.name",
180    "user_agent.original",
181    "source.ip",
182    "aws.cloudtrail.user_identity.arn",
183    "aws.cloudtrail.user_identity.type",
184    "aws.cloudtrail.user_identity.access_key_id",
185    "event.action",
186    "event.outcome",
187    "cloud.account.id",
188    "cloud.region",
189    "aws.cloudtrail.request_parameters",
190    "aws.cloudtrail.response_elements",
191]