AWS RDS DB Snapshot Shared with Another Account

 1[metadata]
 2creation_date = "2024/06/25"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/07/06"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration.
11"""
12false_positives = [
13    """
14    DB snapshot sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.
15    """,
16]
17from = "now-6m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "AWS RDS DB Snapshot Shared with Another Account"
22note = """
23## Triage and Analysis
24
25### Investigating AWS RDS DB Snapshot Shared with Another Account
26
27This rule identifies when an RDS DB snapshot is shared with another AWS account. While sharing DB snapshots is a common practice, adversaries may exploit this feature to exfiltrate data by sharing snapshots with external accounts under their control.
28
29#### Possible Investigation Steps
30
31- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
32- **Review the Sharing Event**: Identify the DB snapshot involved and review the event details. Look for `ModifyDBSnapshotAttribute` or `ModifyDBClusterSnapshotAttribute` actions where the snapshot attributes were changed to include additional user accounts.
33    - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields in the CloudTrail event to identify the DB Snapshot Identifier and account ID with which the snapshot was shared.
34- **Verify the Shared Snapshot**: Check the DB snapshot that was shared and its contents to determine the sensitivity of the data stored within it.
35- **Validate External Account**: Examine the AWS account to which the snapshot was shared. Determine whether this account is known and previously authorized to access such resources.
36- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
37- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
38- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots.
39
40### False Positive Analysis
41
42- **Legitimate Backup Actions**: Confirm if the Db snapshot sharing aligns with scheduled backups or legitimate automation tasks.
43- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
44
45### Response and Remediation
46
47- **Immediate Review and Reversal**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.
48- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
49- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.
50- **Policy Update**: Review and possibly update your organization’s policies on DB snapshot sharing to tighten control and prevent unauthorized access.
51- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
52
53### Additional Information:
54
55For further guidance on managing DB backups and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.BackupRestore.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB snapshot security:
56- [AWS RDS DB Snapshot Sharing](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html)
57- [AWS RDS ModifyDBSnapshotAttribute](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html)
58- [AWS RDS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot)
59"""
60references = [
61    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html",
62    "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html",
63    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot",
64]
65risk_score = 47
66rule_id = "4577ef08-61d1-4458-909f-25a4b10c87fe"
67severity = "medium"
68tags = [
69    "Domain: Cloud",
70    "Data Source: AWS",
71    "Data Source: Amazon Web Services",
72    "Data Source: AWS RDS",
73    "Resources: Investigation Guide",
74    "Use Case: Threat Detection",
75    "Tactic: Exfiltration",
76]
77timestamp_override = "event.ingested"
78type = "eql"
79
80query = '''
81any where event.dataset == "aws.cloudtrail"
82    and event.provider == "rds.amazonaws.com"
83    and event.outcome == "success"
84    and event.action in ("ModifyDBSnapshotAttribute", "ModifyDBClusterSnapshotAttribute") 
85    and stringContains(aws.cloudtrail.request_parameters, "attributeName=restore")
86    and stringContains(aws.cloudtrail.request_parameters, "valuesToAdd=[*]")
87'''
88
89[[rule.threat]]
90framework = "MITRE ATT&CK"
91[[rule.threat.technique]]
92id = "T1537"
93name = "Transfer Data to Cloud Account"
94reference = "https://attack.mitre.org/techniques/T1537/"
95
96[rule.threat.tactic]
97id = "TA0010"
98name = "Exfiltration"
99reference = "https://attack.mitre.org/tactics/TA0010/"