AWS RDS DB Instance or Cluster Deletion Protection Disabled

  1[metadata]
  2creation_date = "2024/06/28"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the modification of an AWS RDS DB instance or cluster to disable the deletionProtection feature. Deletion
 11protection prevents accidental or unauthorized deletion of RDS resources. Adversaries with sufficient permissions may
 12disable this protection as a precursor to destructive actions, including the deletion of databases containing sensitive
 13or business-critical data. This rule alerts when deletionProtection is explicitly set to false on an RDS DB instance or
 14cluster.
 15"""
 16false_positives = [
 17    """
 18    The deletionProtection feature must be disabled as a prerequisite for deletion of a DB instance or cluster. Ensure
 19    that the instance should not be modified in this way before taking action.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "AWS RDS DB Instance or Cluster Deletion Protection Disabled"
 27note = """## Triage and analysis
 28
 29### Investigating AWS RDS DB Instance or Cluster Deletion Protection Disabled
 30 
 31Deletion protection is designed to safeguard RDS DB instances and clusters from accidental or unauthorized deletion. An adversary with privileged access in a compromised environment, can disable this safeguard before issuing a `DeleteDBInstance` or `DeleteDBCluster` action. This rule detects successful attempts to modify deletionProtection and set it to false on any RDS instance or cluster.
 32
 33#### Possible investigation steps
 34
 35- **Identify the Actor**
 36  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `access_key_id` to determine which IAM principal made the change.
 37  - Validate whether this principal normally performs RDS lifecycle operations.
 38
 39- **Review Event Details**
 40  - Inspect `aws.cloudtrail.request_parameters` to confirm the targeted DB instance or cluster identifier.
 41  - Confirm that the request explicitly contains `deletionProtection=false`.
 42
 43- **Contextualize the Change**
 44  - Determine if recent activities justify the removal of deletion protection (migration, decommissioning, or maintenance).
 45  - Compare the timestamp to normal operational hours or deployment windows.
 46
 47- **Correlate with Additional Activity**
 48  - Look for subsequent or preceding RDS actions such as:
 49    - `DeleteDBInstance`
 50    - `DeleteDBCluster`
 51    - Security group modifications
 52    - Changes to parameter groups or backup retention policies.
 53  - Sudden removal of backups or snapshots may indicate imminent destructive activity.
 54
 55- **Verify Environmental Risk**
 56  - Assess the sensitivity of data stored in the affected DB instance or cluster.
 57  - Determine if the instance is production, customer-facing, or mission-critical.
 58
 59- **Interview Relevant Personnel**
 60  - Confirm with service owners or DB administrators whether the modification was intended and approved.
 61
 62### False positive analysis
 63
 64- **Expected Decommissioning**
 65  - Instances undergoing teardown or migration legitimately require deletion protection to be disabled first.
 66
 67- **Inconsistent Historical Behavior**
 68  - Compare the action to historical modification patterns for the user or role. If the action aligns with past legitimate changes, it may not be suspicious.
 69
 70### Response and remediation
 71
 72- **Immediate Remediation**
 73  - If unauthorized, re-enable deletion protection (`deletionProtection=true`) on the affected DB instance or cluster.
 74  - Review security groups, backup retention, and snapshot policies for additional unauthorized changes.
 75
 76- **Access Review**
 77  - Investigate credential exposure for the IAM principal that performed the action.
 78  - Rotate access keys or temporarily revoke permissions if compromise is suspected.
 79
 80- **Containment**
 81  - If destructive intent is suspected, apply guardrails (e.g., IAM condition keys, SCPs) to prevent DB deletion.
 82
 83- **Audit and Harden**
 84  - Ensure RDS instances adhere to least-privilege principles.
 85  - Restrict who can modify `ModifyDBInstance` or `ModifyDBCluster` destructive settings, such as deletion protection, backup retention, and public accessibility.
 86
 87- **Incident Response Activation**
 88  - Treat unauthorized removal of deletion protection as a high-risk precursor to data destruction.
 89  - Trigger IR processes for containment, root cause analysis, and post-incident hardening.
 90
 91### Additional information
 92
 93- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 94- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 95- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
 96"""
 97references = [
 98    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html",
 99    "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html",
100]
101risk_score = 47
102rule_id = "f6652fb5-cd8e-499c-8311-2ce2bb6cac62"
103severity = "medium"
104tags = [
105    "Domain: Cloud",
106    "Data Source: AWS",
107    "Data Source: Amazon Web Services",
108    "Data Source: AWS RDS",
109    "Resources: Investigation Guide",
110    "Use Case: Threat Detection",
111    "Tactic: Impact",
112]
113timestamp_override = "event.ingested"
114type = "eql"
115
116query = '''
117any where event.dataset == "aws.cloudtrail"
118    and event.provider == "rds.amazonaws.com"
119    and event.action in ("ModifyDBInstance", "ModifyDBCluster")
120    and event.outcome == "success"
121    and stringContains(aws.cloudtrail.request_parameters, "deletionProtection=false")
122'''
123
124
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1485"
129name = "Data Destruction"
130reference = "https://attack.mitre.org/techniques/T1485/"
131
132
133[rule.threat.tactic]
134id = "TA0040"
135name = "Impact"
136reference = "https://attack.mitre.org/tactics/TA0040/"
137
138[rule.investigation_fields]
139field_names = [
140    "@timestamp",
141    "user.name",
142    "user_agent.original",
143    "source.ip",
144    "aws.cloudtrail.user_identity.arn",
145    "aws.cloudtrail.user_identity.type",
146    "aws.cloudtrail.user_identity.access_key_id",
147    "event.action",
148    "event.outcome",
149    "cloud.account.id",
150    "cloud.region",
151    "aws.cloudtrail.request_parameters",
152    "aws.cloudtrail.response_elements",
153]