AWS Deletion of RDS Instance or Cluster

  1[metadata]
  2creation_date = "2020/05/21"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster,
 11or database instance.
 12"""
 13false_positives = [
 14    """
 15    Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or
 16    hostname should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts
 17    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 18    """,
 19]
 20from = "now-60m"
 21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 22interval = "10m"
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS Deletion of RDS Instance or Cluster"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating AWS Deletion of RDS Instance or Cluster
 32
 33Amazon RDS simplifies database management by automating tasks like setup and scaling. However, adversaries can exploit this by deleting RDS instances or clusters, causing data loss and service disruption. The detection rule monitors AWS CloudTrail logs for successful deletion actions, alerting security teams to potential malicious activity aimed at data destruction.
 34
 35### Possible investigation steps
 36
 37- Review the AWS CloudTrail logs to confirm the event details, focusing on the event.provider as rds.amazonaws.com and event.action values such as DeleteDBCluster, DeleteGlobalCluster, or DeleteDBInstance.
 38- Identify the user or role responsible for the deletion by examining the user identity information in the CloudTrail logs, and verify if the action aligns with their typical behavior or responsibilities.
 39- Check the event time and correlate it with any other suspicious activities or alerts in the AWS environment to determine if the deletion is part of a broader attack pattern.
 40- Investigate the context of the deletion by reviewing recent changes or activities in the AWS account, such as IAM policy changes or unusual login attempts, to assess if the account may have been compromised.
 41- Assess the impact of the deletion by identifying the specific RDS instance or cluster affected and determining the potential data loss or service disruption caused by the action.
 42- Contact the responsible team or individual to verify if the deletion was intentional and authorized, and if not, initiate incident response procedures to mitigate further risk.
 43
 44### False positive analysis
 45
 46- Routine maintenance activities by database administrators can trigger alerts when they intentionally delete RDS instances or clusters. To manage this, create exceptions for known maintenance windows or specific administrator actions.
 47- Automated scripts or tools used for testing and development purposes might delete RDS resources as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific user or role identifiers.
 48- Scheduled decommissioning of outdated or unused RDS instances can also result in false positives. Maintain an updated list of decommissioning schedules and exclude these from the detection rule.
 49- CloudFormation stack deletions that include RDS resources can lead to alerts. Monitor CloudFormation activities and correlate them with RDS deletions to differentiate between legitimate and suspicious actions.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected AWS account to prevent further unauthorized actions. This can be done by revoking access keys and disabling any suspicious IAM user accounts or roles involved in the deletion.
 54- Initiate a recovery process for the deleted RDS instance or cluster using available backups or snapshots. Ensure that the restoration is performed in a secure environment to prevent further compromise.
 55- Conduct a thorough review of AWS CloudTrail logs to identify any unauthorized access patterns or anomalies leading up to the deletion event. This will help in understanding the scope of the breach and identifying potential entry points.
 56- Escalate the incident to the organization's security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data were affected.
 57- Implement enhanced monitoring and alerting for AWS RDS and other critical resources to detect similar deletion attempts in the future. This includes setting up alerts for any unauthorized changes to IAM policies or roles.
 58- Review and strengthen IAM policies to ensure the principle of least privilege is enforced, reducing the risk of unauthorized deletions by limiting permissions to only those necessary for specific roles.
 59- Communicate with stakeholders and affected parties about the incident, outlining the steps taken for recovery and measures implemented to prevent future occurrences.
 60
 61## Setup
 62
 63The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 64references = [
 65    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html",
 66    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html",
 67    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html",
 68    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html",
 69    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html",
 70    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html",
 71]
 72risk_score = 47
 73rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad"
 74severity = "medium"
 75tags = [
 76    "Domain: Cloud",
 77    "Data Source: AWS",
 78    "Data Source: Amazon Web Services",
 79    "Data Source: AWS RDS",
 80    "Use Case: Asset Visibility",
 81    "Tactic: Impact",
 82    "Resources: Investigation Guide",
 83]
 84timestamp_override = "event.ingested"
 85type = "query"
 86
 87query = '''
 88event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)
 89and event.outcome:success
 90'''
 91
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95[[rule.threat.technique]]
 96id = "T1485"
 97name = "Data Destruction"
 98reference = "https://attack.mitre.org/techniques/T1485/"
 99
100
101[rule.threat.tactic]
102id = "TA0040"
103name = "Impact"
104reference = "https://attack.mitre.org/tactics/TA0040/"