AWS RDS DB Instance or Cluster Deletion Protection Disabled

  1[metadata]
  2creation_date = "2024/06/28"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/11/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the modification of an AWS RDS DB instance or cluster to disable the deletionProtection feature. Deletion
 11protection prevents accidental or unauthorized deletion of RDS resources. Adversaries with sufficient permissions may
 12disable this protection as a precursor to destructive actions, including the deletion of databases containing sensitive
 13or business-critical data. This rule alerts when deletionProtection is explicitly set to false on an RDS DB instance or
 14cluster.
 15"""
 16false_positives = [
 17    """
 18    The deletionProtection feature must be disabled as a prerequisite for deletion of a DB instance or cluster. Ensure
 19    that the instance should not be modified in this way before taking action.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "AWS RDS DB Instance or Cluster Deletion Protection Disabled"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
 31> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.
 32
 33### Investigating AWS RDS DB Instance or Cluster Deletion Protection Disabled
 34 
 35Deletion protection is designed to safeguard RDS DB instances and clusters from accidental or unauthorized deletion. An adversary with privileged access in a compromised environment, can disable this safeguard before issuing a `DeleteDBInstance` or `DeleteDBCluster` action. This rule detects successful attempts to modify deletionProtection and set it to false on any RDS instance or cluster.
 36
 37#### Possible investigation steps
 38
 39- **Identify the Actor**
 40  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `access_key_id` to determine which IAM principal made the change.
 41  - Validate whether this principal normally performs RDS lifecycle operations.
 42
 43- **Review Event Details**
 44  - Inspect `aws.cloudtrail.request_parameters` or `target.entity.id` to confirm the targeted DB instance or cluster identifier.
 45  - Confirm that the request explicitly contains `deletionProtection=false`.
 46
 47- **Contextualize the Change**
 48  - Determine if recent activities justify the removal of deletion protection (migration, decommissioning, or maintenance).
 49  - Compare the timestamp to normal operational hours or deployment windows.
 50
 51- **Correlate with Additional Activity**
 52  - Look for subsequent or preceding RDS actions such as:
 53    - `DeleteDBInstance`
 54    - `DeleteDBCluster`
 55    - Security group modifications
 56    - Changes to parameter groups or backup retention policies.
 57  - Sudden removal of backups or snapshots may indicate imminent destructive activity.
 58
 59- **Verify Environmental Risk**
 60  - Assess the sensitivity of data stored in the affected DB instance or cluster.
 61  - Determine if the instance is production, customer-facing, or mission-critical.
 62
 63- **Interview Relevant Personnel**
 64  - Confirm with service owners or DB administrators whether the modification was intended and approved.
 65
 66### False positive analysis
 67
 68- **Expected Decommissioning**
 69  - Instances undergoing teardown or migration legitimately require deletion protection to be disabled first.
 70
 71- **Inconsistent Historical Behavior**
 72  - Compare the action to historical modification patterns for the user or role. If the action aligns with past legitimate changes, it may not be suspicious.
 73
 74### Response and remediation
 75
 76- **Immediate Remediation**
 77  - If unauthorized, re-enable deletion protection (`deletionProtection=true`) on the affected DB instance or cluster.
 78  - Review security groups, backup retention, and snapshot policies for additional unauthorized changes.
 79
 80- **Access Review**
 81  - Investigate credential exposure for the IAM principal that performed the action.
 82  - Rotate access keys or temporarily revoke permissions if compromise is suspected.
 83
 84- **Containment**
 85  - If destructive intent is suspected, apply guardrails (e.g., IAM condition keys, SCPs) to prevent DB deletion.
 86
 87- **Audit and Harden**
 88  - Ensure RDS instances adhere to least-privilege principles.
 89  - Restrict who can modify `ModifyDBInstance` or `ModifyDBCluster` destructive settings, such as deletion protection, backup retention, and public accessibility.
 90
 91- **Incident Response Activation**
 92  - Treat unauthorized removal of deletion protection as a high-risk precursor to data destruction.
 93  - Trigger IR processes for containment, root cause analysis, and post-incident hardening.
 94
 95### Additional information
 96
 97- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 98- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 99- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
100"""
101references = [
102    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html",
103    "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html",
104]
105risk_score = 47
106rule_id = "f6652fb5-cd8e-499c-8311-2ce2bb6cac62"
107severity = "medium"
108tags = [
109    "Domain: Cloud",
110    "Data Source: AWS",
111    "Data Source: Amazon Web Services",
112    "Data Source: AWS RDS",
113    "Resources: Investigation Guide",
114    "Use Case: Threat Detection",
115    "Tactic: Impact",
116]
117timestamp_override = "event.ingested"
118type = "eql"
119
120query = '''
121any where event.dataset == "aws.cloudtrail"
122    and event.provider == "rds.amazonaws.com"
123    and event.action in ("ModifyDBInstance", "ModifyDBCluster")
124    and event.outcome == "success"
125    and stringContains(aws.cloudtrail.request_parameters, "deletionProtection=false")
126'''
127
128
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131[[rule.threat.technique]]
132id = "T1485"
133name = "Data Destruction"
134reference = "https://attack.mitre.org/techniques/T1485/"
135
136
137[rule.threat.tactic]
138id = "TA0040"
139name = "Impact"
140reference = "https://attack.mitre.org/tactics/TA0040/"
141
142[rule.investigation_fields]
143field_names = [
144    "@timestamp",
145    "user.name",
146    "user_agent.original",
147    "source.ip",
148    "aws.cloudtrail.user_identity.arn",
149    "aws.cloudtrail.user_identity.type",
150    "aws.cloudtrail.user_identity.access_key_id",
151    "target.entity.id",
152    "event.action",
153    "event.outcome",
154    "cloud.account.id",
155    "cloud.region",
156    "aws.cloudtrail.request_parameters",
157    "aws.cloudtrail.response_elements",
158]