AWS RDS DB Snapshot Shared with Another Account

Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/06/25"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/07/06"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration.
11"""
12false_positives = [
13    """
14    DB snapshot sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.
15    """,
16]
17from = "now-6m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "AWS RDS DB Snapshot Shared with Another Account"
22note = """
23## Triage and Analysis
24
25### Investigating AWS RDS DB Snapshot Shared with Another Account
26
27This rule identifies when an RDS DB snapshot is shared with another AWS account. While sharing DB snapshots is a common practice, adversaries may exploit this feature to exfiltrate data by sharing snapshots with external accounts under their control.
28
29#### Possible Investigation Steps
30
31- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
32- **Review the Sharing Event**: Identify the DB snapshot involved and review the event details. Look for `ModifyDBSnapshotAttribute` or `ModifyDBClusterSnapshotAttribute` actions where the snapshot attributes were changed to include additional user accounts.
33    - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields in the CloudTrail event to identify the DB Snapshot Identifier and account ID with which the snapshot was shared.
34- **Verify the Shared Snapshot**: Check the DB snapshot that was shared and its contents to determine the sensitivity of the data stored within it.
35- **Validate External Account**: Examine the AWS account to which the snapshot was shared. Determine whether this account is known and previously authorized to access such resources.
36- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
37- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
38- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots.
39
40### False Positive Analysis
41
42- **Legitimate Backup Actions**: Confirm if the Db snapshot sharing aligns with scheduled backups or legitimate automation tasks.
43- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
44
45### Response and Remediation
46
47- **Immediate Review and Reversal**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.
48- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
49- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.
50- **Policy Update**: Review and possibly update your organization’s policies on DB snapshot sharing to tighten control and prevent unauthorized access.
51- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
52
53### Additional Information:
54
55For further guidance on managing DB backups and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.BackupRestore.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB snapshot security:
56- [AWS RDS DB Snapshot Sharing](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html)
57- [AWS RDS ModifyDBSnapshotAttribute](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html)
58- [AWS RDS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot)
59"""
60references = [
61    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html",
62    "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html",
63    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot",
64]
65risk_score = 47
66rule_id = "4577ef08-61d1-4458-909f-25a4b10c87fe"
67severity = "medium"
68tags = [
69    "Domain: Cloud",
70    "Data Source: AWS",
71    "Data Source: Amazon Web Services",
72    "Data Source: AWS RDS",
73    "Resources: Investigation Guide",
74    "Use Case: Threat Detection",
75    "Tactic: Exfiltration",
76]
77timestamp_override = "event.ingested"
78type = "eql"
79
80query = '''
81any where event.dataset == "aws.cloudtrail"
82    and event.provider == "rds.amazonaws.com"
83    and event.outcome == "success"
84    and event.action in ("ModifyDBSnapshotAttribute", "ModifyDBClusterSnapshotAttribute") 
85    and stringContains(aws.cloudtrail.request_parameters, "attributeName=restore")
86    and stringContains(aws.cloudtrail.request_parameters, "valuesToAdd=[*]")
87'''
88
89[[rule.threat]]
90framework = "MITRE ATT&CK"
91[[rule.threat.technique]]
92id = "T1537"
93name = "Transfer Data to Cloud Account"
94reference = "https://attack.mitre.org/techniques/T1537/"
95
96[rule.threat.tactic]
97id = "TA0010"
98name = "Exfiltration"
99reference = "https://attack.mitre.org/tactics/TA0010/"

Triage and Analysis

Investigating AWS RDS DB Snapshot Shared with Another Account

This rule identifies when an RDS DB snapshot is shared with another AWS account. While sharing DB snapshots is a common practice, adversaries may exploit this feature to exfiltrate data by sharing snapshots with external accounts under their control.

Possible Investigation Steps

  • Identify the Actor: Review the aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
  • Review the Sharing Event: Identify the DB snapshot involved and review the event details. Look for ModifyDBSnapshotAttribute or ModifyDBClusterSnapshotAttribute actions where the snapshot attributes were changed to include additional user accounts.
    • Request and Response Parameters: Check the aws.cloudtrail.request_parameters and aws.cloudtrail.response_elements fields in the CloudTrail event to identify the DB Snapshot Identifier and account ID with which the snapshot was shared.
  • Verify the Shared Snapshot: Check the DB snapshot that was shared and its contents to determine the sensitivity of the data stored within it.
  • Validate External Account: Examine the AWS account to which the snapshot was shared. Determine whether this account is known and previously authorized to access such resources.
  • Contextualize with Recent Changes: Compare this sharing event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
  • Correlate with Other Activities: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
  • Interview Relevant Personnel: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots.

False Positive Analysis

  • Legitimate Backup Actions: Confirm if the Db snapshot sharing aligns with scheduled backups or legitimate automation tasks.
  • Consistency Check: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.

Response and Remediation

  • Immediate Review and Reversal: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.
  • Enhance Monitoring and Alerts: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
  • Audit Snapshots and Policies: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.
  • Policy Update: Review and possibly update your organization’s policies on DB snapshot sharing to tighten control and prevent unauthorized access.
  • Incident Response: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.

Additional Information:

For further guidance on managing DB backups and securing AWS environments, refer to the AWS RDS documentation and AWS best practices for security. Additionally, consult the following resources for specific details on DB snapshot security:

References

Related rules

to-top