AWS RDS DB Instance Made Public

  1[metadata]
  2creation_date = "2024/06/29"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation or modification of an Amazon RDS DB instance or cluster where the "publiclyAccessible" attribute
 11is set to "true". Publicly accessible RDS instances expose a network endpoint on the public internet, which may allow
 12unauthorized access if combined with overly permissive security groups, weak authentication, or misconfigured IAM
 13policies. Adversaries may enable public access on an existing instance, or create a new publicly accessible instance, to
 14establish persistence, move data outside of controlled network boundaries, or bypass internal access controls.
 15"""
 16false_positives = [
 17    """
 18    Public access is a common configuration used to enable access from outside a private VPC. Ensure that the instance
 19    should not be modified in this way before taking action.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "AWS RDS DB Instance Made Public"
 27note = """## Triage and analysis
 28
 29### Investigating AWS RDS DB Instance Made Public
 30
 31This rule detects when an Amazon RDS DB instance or cluster is created or modified with
 32`publiclyAccessible=true`. While some environments operate publicly accessible RDS instances,
 33unexpected exposure of a database to the internet is a meaningful security risk. Adversaries who
 34gain access to AWS credentials may modify a DB instance’s public accessibility to exfiltrate data,
 35establish persistence, or bypass internal network restrictions. 
 36
 37#### Possible Investigation Steps
 38
 39- **Identify the actor**
 40  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `access_key_id` to determine which IAM principal made the change.
 41  - Determine whether the user, role, or automation service typically manages RDS configurations.
 42
 43- **Examine the request parameters**
 44  - Review `aws.cloudtrail.request_parameters` for:
 45    - `publiclyAccessible=true`
 46    - DBInstanceIdentifier / DBClusterIdentifier
 47    - Additional changes included in the same modification request (e.g., master user changes, security group updates)
 48
 49- **Validate the target resource**
 50  - Determine the sensitivity of the instance:
 51    - What data does it store?
 52    - Is it production, staging, dev, or ephemeral?
 53  - Confirm whether the instance was previously private.
 54
 55- **Assess network exposure**
 56  - Check associated security groups for:
 57    - `0.0.0.0/0` (unrestricted ingress)
 58    - Unexpected IP ranges  
 59  - Review VPC/subnet placement to determine if the instance is reachable externally.
 60
 61- **Correlate with other recent CloudTrail activity**
 62  - Look for related events performed by the same actor:
 63    - `AuthorizeSecurityGroupIngress`
 64    - `ModifyDBInstance`
 65    - IAM policy modifications enabling broader DB access
 66  - Look for indicators of credential misuse:
 67    - unusual `source.ip`
 68    - unusual `user_agent.original`
 69    - MFA not used (`session_context.mfa_authenticated=false`)
 70
 71- **Validate intent with owners**
 72  - Contact the service or database owner to confirm whether the change was an approved part of a deployment or migration.
 73
 74### False Positive Analysis
 75
 76- **Expected public-access configuration**
 77  - Some workloads intentionally require public access (e.g., internet-facing reporting tools).
 78  - Validate against change management tickets, deployment pipelines, or Terraform/IaC automation logs.
 79
 80### Response and Remediation
 81
 82- **Containment**
 83  - If exposure is unauthorized:
 84    - Modify the instance to disable public access (`publiclyAccessible=false`).
 85    - Restrict the security group inbound rules immediately.
 86    - Snapshot the instance to preserve state if compromise is suspected.
 87
 88- **Investigation**
 89  - Review all recent actions from the same IAM principal.
 90  - Check for data access patterns (CloudWatch, RDS Enhanced Monitoring, VPC Flow Logs).
 91  - Identify whether this exposure correlates with suspicious outbound network activity.
 92
 93- **Hardening**
 94  - Require private-only RDS instances unless explicitly documented.
 95  - Enforce security group least privilege and block public DB access via:
 96    - AWS Config rules (`rds-instance-public-access-check`)
 97    - Service Control Policies (SCPs) preventing public RDS settings
 98  - Implement continuous monitoring for network or configuration drift.
 99
100- **Recovery**
101  - Restore the database to a private subnet if necessary.
102  - Rotate credentials used by the DB instance and associated applications.
103  - Document the incident and update policies or IaC templates to prevent recurrence.
104
105### Additional Information:
106
107- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
108- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
109- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
110"""
111references = [
112    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html",
113    "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html",
114    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence#make-instance-publicly-accessible-rds-modifydbinstance",
115    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-createdbinstance",
116]
117risk_score = 47
118rule_id = "9efb3f79-b77b-466a-9fa0-3645d22d1e7f"
119severity = "medium"
120tags = [
121    "Domain: Cloud",
122    "Data Source: AWS",
123    "Data Source: Amazon Web Services",
124    "Data Source: AWS RDS",
125    "Resources: Investigation Guide",
126    "Use Case: Threat Detection",
127    "Tactic: Persistence",
128    "Tactic: Defense Evasion",
129]
130timestamp_override = "event.ingested"
131type = "eql"
132
133query = '''
134any where event.dataset == "aws.cloudtrail"
135    and event.provider == "rds.amazonaws.com"
136    and event.outcome == "success"
137    and (
138        (event.action == "ModifyDBInstance" and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true"))
139        or
140        (event.action in ("CreateDBInstance", "CreateDBCluster") and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true"))
141    )
142'''
143
144
145[[rule.threat]]
146framework = "MITRE ATT&CK"
147[[rule.threat.technique]]
148id = "T1556"
149name = "Modify Authentication Process"
150reference = "https://attack.mitre.org/techniques/T1556/"
151[[rule.threat.technique.subtechnique]]
152id = "T1556.009"
153name = "Conditional Access Policies"
154reference = "https://attack.mitre.org/techniques/T1556/009/"
155
156
157
158[rule.threat.tactic]
159id = "TA0003"
160name = "Persistence"
161reference = "https://attack.mitre.org/tactics/TA0003/"
162[[rule.threat]]
163framework = "MITRE ATT&CK"
164
165[rule.threat.tactic]
166id = "TA0005"
167name = "Defense Evasion"
168reference = "https://attack.mitre.org/tactics/TA0005/"
169
170[rule.investigation_fields]
171field_names = [
172    "@timestamp",
173    "user.name",
174    "user_agent.original",
175    "source.ip",
176    "aws.cloudtrail.user_identity.arn",
177    "aws.cloudtrail.user_identity.type",
178    "aws.cloudtrail.user_identity.access_key_id",
179    "event.action",
180    "event.outcome",
181    "cloud.account.id",
182    "cloud.region",
183    "aws.cloudtrail.request_parameters",
184    "aws.cloudtrail.response_elements",
185]