AWS RDS DB Instance Made Public

  1[metadata]
  2creation_date = "2024/06/29"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/11/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation or modification of an Amazon RDS DB instance or cluster where the "publiclyAccessible" attribute
 11is set to "true". Publicly accessible RDS instances expose a network endpoint on the public internet, which may allow
 12unauthorized access if combined with overly permissive security groups, weak authentication, or misconfigured IAM
 13policies. Adversaries may enable public access on an existing instance, or create a new publicly accessible instance, to
 14establish persistence, move data outside of controlled network boundaries, or bypass internal access controls.
 15"""
 16false_positives = [
 17    """
 18    Public access is a common configuration used to enable access from outside a private VPC. Ensure that the instance
 19    should not be modified in this way before taking action.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "AWS RDS DB Instance Made Public"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
 31> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.
 32
 33### Investigating AWS RDS DB Instance Made Public
 34
 35This rule detects when an Amazon RDS DB instance or cluster is created or modified with
 36`publiclyAccessible=true`. While some environments operate publicly accessible RDS instances,
 37unexpected exposure of a database to the internet is a meaningful security risk. Adversaries who
 38gain access to AWS credentials may modify a DB instance’s public accessibility to exfiltrate data,
 39establish persistence, or bypass internal network restrictions. 
 40
 41#### Possible Investigation Steps
 42
 43- **Identify the actor**
 44  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `access_key_id` to determine which IAM principal made the change.
 45  - Determine whether the user, role, or automation service typically manages RDS configurations.
 46
 47- **Examine the request parameters**
 48  - Review `aws.cloudtrail.request_parameters` for:
 49    - `publiclyAccessible=true`
 50    - DBInstanceIdentifier / DBClusterIdentifier
 51    - Additional changes included in the same modification request (e.g., master user changes, security group updates)
 52
 53- **Validate the target resource**
 54  - Determine the sensitivity of the instance (`target.entity.id`):
 55    - What data does it store?
 56    - Is it production, staging, dev, or ephemeral?
 57  - Confirm whether the instance was previously private.
 58
 59- **Assess network exposure**
 60  - Check associated security groups for:
 61    - `0.0.0.0/0` (unrestricted ingress)
 62    - Unexpected IP ranges  
 63  - Review VPC/subnet placement to determine if the instance is reachable externally.
 64
 65- **Correlate with other recent CloudTrail activity**
 66  - Look for related events performed by the same actor:
 67    - `AuthorizeSecurityGroupIngress`
 68    - `ModifyDBInstance`
 69    - IAM policy modifications enabling broader DB access
 70  - Look for indicators of credential misuse:
 71    - unusual `source.ip`
 72    - unusual `user_agent.original`
 73    - MFA not used (`session_context.mfa_authenticated=false`)
 74
 75- **Validate intent with owners**
 76  - Contact the service or database owner to confirm whether the change was an approved part of a deployment or migration.
 77
 78### False Positive Analysis
 79
 80- **Expected public-access configuration**
 81  - Some workloads intentionally require public access (e.g., internet-facing reporting tools).
 82  - Validate against change management tickets, deployment pipelines, or Terraform/IaC automation logs.
 83
 84### Response and Remediation
 85
 86- **Containment**
 87  - If exposure is unauthorized:
 88    - Modify the instance to disable public access (`publiclyAccessible=false`).
 89    - Restrict the security group inbound rules immediately.
 90    - Snapshot the instance to preserve state if compromise is suspected.
 91
 92- **Investigation**
 93  - Review all recent actions from the same IAM principal.
 94  - Check for data access patterns (CloudWatch, RDS Enhanced Monitoring, VPC Flow Logs).
 95  - Identify whether this exposure correlates with suspicious outbound network activity.
 96
 97- **Hardening**
 98  - Require private-only RDS instances unless explicitly documented.
 99  - Enforce security group least privilege and block public DB access via:
100    - AWS Config rules (`rds-instance-public-access-check`)
101    - Service Control Policies (SCPs) preventing public RDS settings
102  - Implement continuous monitoring for network or configuration drift.
103
104- **Recovery**
105  - Restore the database to a private subnet if necessary.
106  - Rotate credentials used by the DB instance and associated applications.
107  - Document the incident and update policies or IaC templates to prevent recurrence.
108
109### Additional Information:
110
111- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
112- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
113- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
114"""
115references = [
116    "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html",
117    "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html",
118    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence#make-instance-publicly-accessible-rds-modifydbinstance",
119    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-createdbinstance",
120]
121risk_score = 47
122rule_id = "9efb3f79-b77b-466a-9fa0-3645d22d1e7f"
123severity = "medium"
124tags = [
125    "Domain: Cloud",
126    "Data Source: AWS",
127    "Data Source: Amazon Web Services",
128    "Data Source: AWS RDS",
129    "Resources: Investigation Guide",
130    "Use Case: Threat Detection",
131    "Tactic: Persistence",
132    "Tactic: Defense Evasion",
133]
134timestamp_override = "event.ingested"
135type = "eql"
136
137query = '''
138any where event.dataset == "aws.cloudtrail"
139    and event.provider == "rds.amazonaws.com"
140    and event.outcome == "success"
141    and (
142        (event.action == "ModifyDBInstance" and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true"))
143        or
144        (event.action in ("CreateDBInstance", "CreateDBCluster") and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true"))
145    )
146'''
147
148
149[[rule.threat]]
150framework = "MITRE ATT&CK"
151[[rule.threat.technique]]
152id = "T1556"
153name = "Modify Authentication Process"
154reference = "https://attack.mitre.org/techniques/T1556/"
155[[rule.threat.technique.subtechnique]]
156id = "T1556.009"
157name = "Conditional Access Policies"
158reference = "https://attack.mitre.org/techniques/T1556/009/"
159
160
161
162[rule.threat.tactic]
163id = "TA0003"
164name = "Persistence"
165reference = "https://attack.mitre.org/tactics/TA0003/"
166[[rule.threat]]
167framework = "MITRE ATT&CK"
168
169[rule.threat.tactic]
170id = "TA0005"
171name = "Defense Evasion"
172reference = "https://attack.mitre.org/tactics/TA0005/"
173
174[rule.investigation_fields]
175field_names = [
176    "@timestamp",
177    "user.name",
178    "user_agent.original",
179    "source.ip",
180    "aws.cloudtrail.user_identity.arn",
181    "aws.cloudtrail.user_identity.type",
182    "aws.cloudtrail.user_identity.access_key_id",
183    "target.entity.id",
184    "event.action",
185    "event.outcome",
186    "cloud.account.id",
187    "cloud.region",
188    "aws.cloudtrail.request_parameters",
189    "aws.cloudtrail.response_elements",
190]