RDS Database Security Group Modification

Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.

Sigma rule (View on GitHub)

 1title: RDS Database Security Group Modification
 2id: 14f3f1c8-02d5-43a2-a191-91ffb52d3015
 3status: test
 4description: |
 5    Detects changes to the security group entries for RDS databases.
 6    This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.    
 7references:
 8    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
 9author: jamesc-grafana
10date: 2024/07/11
11tags:
12    - attack.initial_access
13    - attack.t1190
14logsource:
15    product: aws
16    service: cloudtrail
17detection:
18    selection:
19        eventSource: 'rds.amazonaws.com'
20        eventName:
21            - 'AuthorizeDBSecurityGroupIngress'
22            - 'CreateDBSecurityGroup'
23            - 'DeleteDBSecurityGroup'
24            - 'RevokeDBSecurityGroupIngress'
25    condition: selection
26falsepositives:
27    - Creation of a new Database that needs new security group rules
28level: medium

References

Related rules

to-top