AWS RDS DB Instance or Cluster Deleted

  1[metadata]
  2creation_date = "2020/05/21"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the deletion of an Amazon RDS DB instance, Aurora cluster, or global database cluster. Deleting these
 11resources permanently destroys stored data and can cause major service disruption. Adversaries with sufficient
 12permissions may delete RDS resources to impede recovery, destroy evidence, or inflict operational impact on the
 13environment.
 14"""
 15false_positives = [
 16    """
 17    RDS instances or clusters may be intentionally deleted by database administrators or during planned decommissioning
 18    activities. Verify the user identity, source IP, and change context to ensure the deletion is expected.
 19    CloudFormation stack removals and automated cleanup workflows may also trigger these events and can be exempted if
 20    known and authorized.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS RDS DB Instance or Cluster Deleted"
 28note = """## Triage and analysis
 29
 30### Investigating AWS RDS DB Instance or Cluster Deleted
 31
 32This rule detects the deletion of an RDS DB instance, Aurora DB cluster, or global database cluster. These operations permanently remove stored data and backups unless final snapshots are explicitly retained. Adversaries may delete RDS resources as part of a destructive attack, to eliminate forensic evidence, or to disrupt critical workloads. Because deletions are irreversible without backups, immediate review is required to determine whether the action was authorized and assess potential data loss.
 33
 34#### Possible investigation steps
 35
 36**Identify the Actor**
 37- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine who performed the action.
 38- Validate:
 39  - Is this user/role authorized to delete DB instances or clusters?
 40  - Does this action align with past behavior?
 41
 42**Review the Deletion Event**
 43- Confirm which action was invoked: `DeleteDBInstance`, `DeleteDBCluster` or `DeleteGlobalCluster`
 44- Examine `aws.cloudtrail.request_parameters`. Identify which resource was deleted and whether a final snapshot was created before deletion.
 45
 46**Analyze Source and Access Context**
 47- Check `source.ip`, `source.geo` fields and `user_agent.original`
 48- Validate whether:
 49  - The request originated from a known network or VPN.
 50  - The user normally logs in from this location.
 51  - The call was made via AWS Console vs CLI vs SDK.
 52
 53**Correlate Surrounding Activity**
 54Search CloudTrail for:
 55- Recent IAM role or policy changes.
 56- Privilege escalation events (STS AssumeRole, CreateAccessKey, AttachUserPolicy).
 57- Disablement of related safety controls:
 58  - deletionProtection modified to `false`
 59  - backupRetentionPeriod set to `0`
 60- Suspicious sequencing:
 61  - Snapshots deleted before the instance/cluster deletion.
 62  - Network security group modifications enabling broader access before deletion.
 63
 64**Validate Organizational Intent**
 65- Contact the service owner or DB administrator to confirm whether the deletion is expected.
 66
 67**Assess Impact and Data Recovery Path**
 68- Identify which DB instance or cluster was deleted
 69- Evaluate:
 70  - Whether automated backups existed.
 71  - Whether point-in-time recovery is still possible.
 72  - Whether a final snapshot was created.
 73
 74### False positive analysis
 75
 76- **Planned decommissioning**:  
 77  - Confirm if this action aligns with a scheduled removal or environment cleanup.
 78- **CloudFormation stack deletion**:  
 79  - Stack teardown often deletes RDS resources; confirm if this occurred.
 80- **Automated testing or ephemeral environments**:  
 81  - Test/dev pipelines may frequently create and delete clusters.
 82- **Infrastructure-as-code workflows**:  
 83  - Terraform destroys or GitOps cleanup jobs can generate legitimate deletion events.
 84
 85### Response and remediation
 86
 87**If the deletion was unauthorized:**
 88**Immediately restrict the actor**
 89   - Disable or revoke the user’s access keys.
 90   - Revoke active session tokens.
 91
 92**Attempt recovery**
 93   - Restore from:
 94     - Final snapshot (if created)
 95     - Automated backups
 96   - Rebuild cluster/instance configurations based on IaC or documented templates.
 97
 98**Perform full log review**
 99   - CloudTrail, RDS Enhanced Monitoring, and VPC Flow Logs
100   - Identify lateral movement or privilege escalation preceding the deletion.
101
102**Scope and contain the incident**
103   - Determine whether:
104     - Additional RDS resources were targeted
105     - IAM permissions were modified
106     - Other destructive API calls were made
107
108**Hardening actions**
109   - Enable deletionProtection on all critical instances/clusters.
110   - Require final snapshot creation for all deletion operations.
111   - Enforce MFA for IAM users with RDS privileges.
112   - Limit RDS modification/deletion permissions to specific IAM roles.
113
114**Documentation and Follow-Up**
115   - Update incident response runbooks.
116   - Communicate with service owners and leadership.
117   - Add enhanced monitoring rules around:
118     - Snapshot deletions
119     - Backup retention modifications
120     - RDS role changes
121     - DeletionProtection disable events
122
123### Additional information
124
125- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
126- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
127- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
128"""
129references = [
130    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html",
131    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html",
132    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html",
133]
134risk_score = 47
135rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad"
136severity = "medium"
137tags = [
138    "Domain: Cloud",
139    "Data Source: AWS",
140    "Data Source: Amazon Web Services",
141    "Data Source: AWS RDS",
142    "Use Case: Asset Visibility",
143    "Tactic: Impact",
144    "Resources: Investigation Guide",
145]
146timestamp_override = "event.ingested"
147type = "query"
148
149query = '''
150event.dataset: aws.cloudtrail 
151    and event.provider: rds.amazonaws.com 
152    and event.action: (DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)
153    and event.outcome: success
154'''
155
156
157[[rule.threat]]
158framework = "MITRE ATT&CK"
159[[rule.threat.technique]]
160id = "T1485"
161name = "Data Destruction"
162reference = "https://attack.mitre.org/techniques/T1485/"
163
164
165[rule.threat.tactic]
166id = "TA0040"
167name = "Impact"
168reference = "https://attack.mitre.org/tactics/TA0040/"
169
170[rule.investigation_fields]
171field_names = [
172    "@timestamp",
173    "user.name",
174    "user_agent.original",
175    "source.ip",
176    "aws.cloudtrail.user_identity.arn",
177    "aws.cloudtrail.user_identity.type",
178    "aws.cloudtrail.user_identity.access_key_id",
179    "event.action",
180    "event.outcome",
181    "cloud.account.id",
182    "cloud.region",
183    "aws.cloudtrail.request_parameters",
184    "aws.cloudtrail.response_elements",
185]