AWS RDS DB Instance or Cluster Deleted

  1[metadata]
  2creation_date = "2020/05/21"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/11/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the deletion of an Amazon RDS DB instance, Aurora cluster, or global database cluster. Deleting these
 11resources permanently destroys stored data and can cause major service disruption. Adversaries with sufficient
 12permissions may delete RDS resources to impede recovery, destroy evidence, or inflict operational impact on the
 13environment.
 14"""
 15false_positives = [
 16    """
 17    RDS instances or clusters may be intentionally deleted by database administrators or during planned decommissioning
 18    activities. Verify the user identity, source IP, and change context to ensure the deletion is expected.
 19    CloudFormation stack removals and automated cleanup workflows may also trigger these events and can be exempted if
 20    known and authorized.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS RDS DB Instance or Cluster Deleted"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
 32> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.
 33
 34### Investigating AWS RDS DB Instance or Cluster Deleted
 35
 36This rule detects the deletion of an RDS DB instance, Aurora DB cluster, or global database cluster. These operations permanently remove stored data and backups unless final snapshots are explicitly retained. Adversaries may delete RDS resources as part of a destructive attack, to eliminate forensic evidence, or to disrupt critical workloads. Because deletions are irreversible without backups, immediate review is required to determine whether the action was authorized and assess potential data loss.
 37
 38#### Possible investigation steps
 39
 40**Identify the Actor**
 41- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine who performed the action.
 42- Validate:
 43  - Is this user/role authorized to delete DB instances or clusters?
 44  - Does this action align with past behavior?
 45
 46**Review the Deletion Event**
 47- Confirm which action was invoked: `DeleteDBInstance`, `DeleteDBCluster` or `DeleteGlobalCluster`
 48- Examine `aws.cloudtrail.request_parameters` and `target.entity.id`. Identify which resource was deleted and whether a final snapshot was created before deletion.
 49
 50**Analyze Source and Access Context**
 51- Check `source.ip`, `source.geo` fields and `user_agent.original`
 52- Validate whether:
 53  - The request originated from a known network or VPN.
 54  - The user normally logs in from this location.
 55  - The call was made via AWS Console vs CLI vs SDK.
 56
 57**Correlate Surrounding Activity**
 58Search CloudTrail for:
 59- Recent IAM role or policy changes.
 60- Privilege escalation events (STS AssumeRole, CreateAccessKey, AttachUserPolicy).
 61- Disablement of related safety controls:
 62  - deletionProtection modified to `false`
 63  - backupRetentionPeriod set to `0`
 64- Suspicious sequencing:
 65  - Snapshots deleted before the instance/cluster deletion.
 66  - Network security group modifications enabling broader access before deletion.
 67
 68**Validate Organizational Intent**
 69- Contact the service owner or DB administrator to confirm whether the deletion is expected.
 70
 71**Assess Impact and Data Recovery Path**
 72- Identify which DB instance or cluster was deleted (`target.entity.id`)
 73- Evaluate:
 74  - Whether automated backups existed.
 75  - Whether point-in-time recovery is still possible.
 76  - Whether a final snapshot was created.
 77
 78### False positive analysis
 79
 80- **Planned decommissioning**:  
 81  - Confirm if this action aligns with a scheduled removal or environment cleanup.
 82- **CloudFormation stack deletion**:  
 83  - Stack teardown often deletes RDS resources; confirm if this occurred.
 84- **Automated testing or ephemeral environments**:  
 85  - Test/dev pipelines may frequently create and delete clusters.
 86- **Infrastructure-as-code workflows**:  
 87  - Terraform destroys or GitOps cleanup jobs can generate legitimate deletion events.
 88
 89### Response and remediation
 90
 91**If the deletion was unauthorized:**
 92**Immediately restrict the actor**
 93   - Disable or revoke the user’s access keys.
 94   - Revoke active session tokens.
 95
 96**Attempt recovery**
 97   - Restore from:
 98     - Final snapshot (if created)
 99     - Automated backups
100   - Rebuild cluster/instance configurations based on IaC or documented templates.
101
102**Perform full log review**
103   - CloudTrail, RDS Enhanced Monitoring, and VPC Flow Logs
104   - Identify lateral movement or privilege escalation preceding the deletion.
105
106**Scope and contain the incident**
107   - Determine whether:
108     - Additional RDS resources were targeted
109     - IAM permissions were modified
110     - Other destructive API calls were made
111
112**Hardening actions**
113   - Enable deletionProtection on all critical instances/clusters.
114   - Require final snapshot creation for all deletion operations.
115   - Enforce MFA for IAM users with RDS privileges.
116   - Limit RDS modification/deletion permissions to specific IAM roles.
117
118**Documentation and Follow-Up**
119   - Update incident response runbooks.
120   - Communicate with service owners and leadership.
121   - Add enhanced monitoring rules around:
122     - Snapshot deletions
123     - Backup retention modifications
124     - RDS role changes
125     - DeletionProtection disable events
126
127### Additional information
128
129- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
130- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
131- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
132"""
133references = [
134    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html",
135    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html",
136    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html",
137]
138risk_score = 47
139rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad"
140severity = "medium"
141tags = [
142    "Domain: Cloud",
143    "Data Source: AWS",
144    "Data Source: Amazon Web Services",
145    "Data Source: AWS RDS",
146    "Use Case: Asset Visibility",
147    "Tactic: Impact",
148    "Resources: Investigation Guide",
149]
150timestamp_override = "event.ingested"
151type = "query"
152
153query = '''
154event.dataset: aws.cloudtrail 
155    and event.provider: rds.amazonaws.com 
156    and event.action: (DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)
157    and event.outcome: success
158'''
159
160
161[[rule.threat]]
162framework = "MITRE ATT&CK"
163[[rule.threat.technique]]
164id = "T1485"
165name = "Data Destruction"
166reference = "https://attack.mitre.org/techniques/T1485/"
167
168
169[rule.threat.tactic]
170id = "TA0040"
171name = "Impact"
172reference = "https://attack.mitre.org/tactics/TA0040/"
173
174[rule.investigation_fields]
175field_names = [
176    "@timestamp",
177    "user.name",
178    "user_agent.original",
179    "source.ip",
180    "aws.cloudtrail.user_identity.arn",
181    "aws.cloudtrail.user_identity.type",
182    "aws.cloudtrail.user_identity.access_key_id",
183    "target.entity.id",
184    "event.action",
185    "event.outcome",
186    "cloud.account.id",
187    "cloud.region",
188    "aws.cloudtrail.request_parameters",
189    "aws.cloudtrail.response_elements",
190]