Quick Start Security for Amazon RDS
Thank you!
We got your information.
Amazon RDS - Security Extension
This security extension pack includes rules monitoring Amazon RDS database service.
It includes rules to monitor changes in RDS instances, clusters and security groups. This extension packs relies on Cloudtrail logs to correctly function.
Coralogix Extension For Amazon RDS Includes:
Alerts - 10
Stay on top of Amazon RDS key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
RDS Security Group Creation
Creation of an Amazon Relational Database Service (RDS) Security group. Impact A security group creation can allow/revoke access to your DB instance, depending on who created it, it can also be an attacker created group. Mitigation Verify that the group creation was authorized, if not, revert changes and further investigate the user who made the changes. MITRE Tactic: TA0003 MITRE Technique: T1136
RDS Snapshot Export
an exporting of an Amazon RDS snapshot has started. Impact An attacker can export an RDS instance to in order to compromise a database. After a successful export he can also delete the original DB for ransom purposes, so it is advised to verify this activity quickly. Mitigation Verify with the initiating user that the export of the RDS snapshot is legitimate and approved. Stop the export if there is any suspicion of malicious activity and investigate further the user who initiated the export. MITRE Tactic: TA0010 MITRE Technique: T1537 MITRE Sub-Technique: 002
Deletion of RDS Instance/Cluster
Deletion of an Amazon RDS cluster/database instance. Impact Deletion of a cluster/database should always we validated as an authorized action. Attackers tend to delete databases after exfiltrating them for ransom or other malicious purposes. Mitigation Verify that the deletion was intended and authorized, stop the action and revert and further investigate if not. MITRE Tactic: TA0040 MITRE Technique: T1485
RDS Instance Creation
Creation of an Amazon RDS instance. Impact An attacker can use an RDS instance to copy another instance or to store different persistence mechanisms in a database. He can also spend resources to harm the organization. Mitigation Verify that the creation of the RDS instance was authorized, further investigate the user who created it if not. MITRE Tactic: TA0003
RDS Instance/Cluster Stopped
An Amazon RDS cluster or instance had been stopped. Impact An adversary stopping an instance or cluster can hurt production services and hinder the organization services. Mitigation Verify that the stop action was authorized, revert and investigate further if not. MITRE Tactic: TA0040 MITRE Technique: T1489
RDS Cluster Creation
Creation of a new Amazon RDS cluster or Global Cluster. Impact An RDS cluster is a multi-zone group of RDS instances. An attacker can use an RDS cluster to copy another cluster or to store different persistence mechanisms in a cluster. He can also spend resources to harm the organization. Mitigation Verify that the creation of the RDS cluster was authorized, further investigate the user who created it if not. MITRE tactic: TA0003 MITRE Technique: T1133
RDS Security Group Deletion
Deletion of an Amazon RDS Security group. Impact Deleting a security group can allow/deny access to RDS instances. An attacker can use this method to allow himself access or deny legitimate users access to resources. Mitigation Verify that the group deletion was authorized, if not, revert changes and further investigate the user who made the changes. MITRE Tactic: TA0040 MITRE Technique: T1531
RDS Snapshot Restored
An RDS snapshot restore operation has occurred. Impact An adversary restoring an RDS snapshot can overwrite current database data or restore it to a different location as a means to exfiltrate the data. Mitigation Verify that the restore operation was authorized, further investigate the user who created it if not and consider reverting the changes if possible. MITRE Tactic: TA0005 MITRE Technique: T1578
AWS RDS - Database was created with no encryption
RDS none encrypted database creation was detected. A new database was created with no data encryption algorithm enabled on it. Impact Data can be read from RDS instances if compromised Mitigation Enable RDS encryption on the relevant database. MITRE Tactics: TA0009 MITRE Technique: T1530
AWS RDS - Database was made public
RDS modification to public access was detected. When a database is public anyone from the world can access it. Impact Public databases are more vulnerable to different attacks like D/DOS SQL injection and other that can affect the business continuity. Mitigation It is suggested to change the Database back to not being publicly available and use VPN connection in order to connect to the database. MITRE Tactic: TA0001 MITRE Technique: T1190
Integration
Learn more about Coralogix's out-of-the-box integration with Amazon RDS in our documentation.