RDS Database Security Group Modification

Aug 12, 2024 · attack.initial-access attack.t1190 ·

Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.

Sigma rule (View on GitHub)

 1title: RDS Database Security Group Modification
 2id: 14f3f1c8-02d5-43a2-a191-91ffb52d3015
 3status: test
 4description: |
 5    Detects changes to the security group entries for RDS databases.
 6    This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.    
 7references:
 8    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
 9author: jamesc-grafana
10date: 2024-07-11
11tags:
12    - attack.initial-access
13    - attack.t1190
14logsource:
15    product: aws
16    service: cloudtrail
17detection:
18    selection:
19        eventSource: 'rds.amazonaws.com'
20        eventName:
21            - 'AuthorizeDBSecurityGroupIngress'
22            - 'CreateDBSecurityGroup'
23            - 'DeleteDBSecurityGroup'
24            - 'RevokeDBSecurityGroupIngress'
25    condition: selection
26falsepositives:
27    - Creation of a new Database that needs new security group rules
28level: medium

References

Key CloudTrail Events To Monitor for Security in AWS - GorillaStack

Learn which CloudTrail events are critical to leverage and maintain a more secure cloud infrastructure in AWS.

Read More

RDS Database Security Group Modification

Sigma rule (View on GitHub)

References

Key CloudTrail Events To Monitor for Security in AWS - GorillaStack

Related rules