Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Amazon RDS PostgreSQL

Amazon RDS PostgreSQL
Amazon RDS PostgreSQL icon

Out-of-the-Box Security For Amazon RDS PostgreSQL Includes:

Alerts - 11

Stay on top of Amazon RDS PostgreSQL key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Amazon RDS - PostgreSQL - DROP Statement Executed

This alert detects the use of SQL drop statement. A drop statement is used to either delete an existing table in a database or delete a database itself. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS PostgreSQL database and has the necessary permissions, it can insert new records in highly sensitive database tables. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Amazon RDS - PostgreSQL - ALTER Statement Executed

This alert detects the use of SQL alter statement. The alter statement is used to add, delete, or modify columns in an existing table. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS PostgreSQL database and has the necessary permissions they can alter the database tables to modify, delete or add the existing records. They can thus escalate their privileges and maintain persistence in the network or disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Amazon RDS - PostgreSQL - DELETE statement Executed

This alert detects the use of the SQL delete statement. The delete statement is used to delete existing records in a table. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS PostgreSQL database and has the necessary permissions, it can delete database tables and records in order to disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. 5. Check database user accounts for any excessive privileges to delete database tables and records. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Amazon RDS - PostgreSQL - Excessive DELETE statement Executed

This alert detects the excessive use of the SQL delete statement in a specific time interval. The delete statement is used to delete existing records in a table. A user can either delete some records or all the records in a table. Impact After an adversary has access to your RDS PostgreSQL database and has the necessary permissions, it can delete database tables and records in order to disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. 5. Check database user accounts for excessive privileges to delete database tables and records. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Amazon RDS - PostgreSQL - Excessive SELECT Statement Executed

This alert detects the excessive use of SQL select statement. Select statement is used to select data from a database. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS PostgreSQL database and has the necessary permissions, it can enumerate databases to view tables and records to get an overview of database schemas, and user records. Mitigation Validate if this action was legitimate. If not, investigate it further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Amazon RDS - PostgreSQL - Excessive INSERT Statement Executed

This alert detects the excessive use of SQL insert statements. Insert statement is used to insert new records in a table. This command throws potential false positives as administrators and power users may use it for administrative activities so it can be fine-tuned according to specific machines or user groups. Impact After an adversary has access to your RDS PostgreSQL database and has the necessary permissions, it can insert new records in highly sensitive database tables. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Amazon RDS - PostgreSQL - GRANT Statement Executed

This alert detects the use of a SQL grant statement. GRANT is a command used to provide access or privileges on the database objects to the users. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS PostgreSQL database and has the necessary permissions they can grant the access rights to a user on critical database objects. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Amazon RDS - PostgreSQL - UPDATE Statement Executed

This alert detects the use of a SQL update statement. An update statement is used to modify the existing records in a table. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS PostgreSQL database and has the necessary permissions they can update the database tables to modify the records. They can also escalate their privileges and maintain persistence in the network by modifying the database tables. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Amazon RDS - PostgreSQL - Multiple 'Error' Log Type Seen From an IP Address

This alert triggers when more than 3 entries for the log type 'Error' are logged in a 10-minute interval. Impact Multiple entries for log type 'Error' could be an indication of malicious activity happening on the RDS PostgreSQL database. Mitigation Check with the user to validate if the action was legitimate and that they are aware of it. If not, investigate further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0006 MITRE Technique: T1110

Amazon RDS - PostgreSQL - Multiple Failed Connection Attempts From an IP Address

This alert triggers when there are more than 10 failed connection attempts to the RDS PostgreSQL database in a 5-minute interval from an IP address. Impact Multiple failed connection/login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Check if the user/s are aware of the connection attempts and that these attempts are legit. If not, investigate this activity further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0006 MITRE Technique: T1110

Amazon RDS - PostgreSQL - Excessive SHOW Statement Executed

This alert detects the excessive use of SQL show statement. The show statement is used to get a list of all the databases and database tables. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your RDS PostgreSQL database and has the necessary permissions, it can enumerate databases to view a list of tables and databases and gather critical information. Mitigation Validate if this action was legitimate. If not, investigate it further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Documentation

Learn more about Coralogix's out-of-the-box integration with Amazon RDS PostgreSQL in our documentation.

Read More
Schedule Demo