Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Amazon - Aurora MySQL

Amazon - Aurora MySQL
Amazon - Aurora MySQL icon

Coralogix Extension For Amazon - Aurora MySQL Includes:

Alerts - 8

Stay on top of Amazon - Aurora MySQL key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

DROP Statement Executed

This alert detects the use of MySQL drop statement. A drop statement is used to either delete an existing table in a database or delete a database itself. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your Aurora MySQL database and has the necessary permissions, it can insert new records in highly sensitive database tables. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

ALTER Statement Executed

This alert detects the use of MySQL alter statement. The alter statement is used to add, delete, or modify columns in an existing table. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your Aurora MySQL database and has the necessary permissions they can alter the database tables to modify, delete or add the existing records. They can thus escalate their privileges and maintain persistence in the network or disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

DELETE statement Executed

This alert detects the use of the MySQL delete statement. The delete statement is used to delete existing records in a table. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your Aurora MySQL database and has the necessary permissions, it can delete database tables and records in order to disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. 5. Check database user accounts for any excessive privileges to delete database tables and records. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Excessive DELETE statement Executed

This alert detects the excessive use of the MySQL delete statement in a specific time interval. The delete statement is used to delete existing records in a table. A user can either delete some records or all the records in a table. Impact After an adversary has access to your Aurora MySQL database and has the necessary permissions, it can delete database tables and records in order to disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. 5. Check database user accounts for excessive privileges to delete database tables and records. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Multiple Failed Connection Attempts From an IP Address

This alert triggers when there are more than 10 failed connection attempts to the Aurora MySQL database in a 5-minute interval from an IP address. Impact Multiple failed connection/login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Check if the user/s are aware of the connection attempts and that these attempts are legit. If not, investigate this activity further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0006 MITRE Technique: T1110

Multiple Failed Connection Attempts For a User

This alert triggers when there are more than 3 failed connection attempts to the Aurora MySQL database in a 5-minute interval for a specific user. Impact Multiple failed connection/login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Check if the user is aware of the connection attempts and that these are legit. If not, investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0006 MITRE Technique: T1110

Excessive SHOW Statement Executed

This alert detects the excessive use of MySQL show statement. The show statement is used to get a list of all the databases and database tables. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your Aurora MySQL database and has the necessary permissions, it can enumerate databases to view a list of tables and databases and gather critical information. Mitigation Validate if this action was legitimate. If not, investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

GRANT Statement Executed

This alert detects the use of a MySQL grant statement. GRANT is a command used to provide access or privileges on the database objects to the users. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your Aurora MySQL database and has the necessary permissions they can grant the access rights to a user on critical database objects. There are two types of privileges. 1) System privileges - This allows the user to CREATE, ALTER, or DROP database objects. 2) Object privileges - This allows the user to EXECUTE, SELECT, INSERT, UPDATE, or DELETE data from database objects to which the privileges apply. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure MySQL: 1. Require all MySQL accounts to have a strong password. 2. Do not run MySQL with root-level privileges. 3. If the MySQL database is only used by local applications, remote access to the server should be disabled. 4. The MySQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Integration

Learn more about Coralogix's out-of-the-box integration with Amazon - Aurora MySQL in our documentation.

Read More
Schedule Demo