Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Amazon RDS

Amazon RDS
Amazon RDS icon

Out-of-the-Box Security For Amazon RDS Includes:

Alerts - 10

Stay on top of Amazon RDS key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

RDS Security Group Creation

Creation of an Amazon Relational Database Service (RDS) Security group. Impact A security group creation can allow/revoke access to your DB instance, depending on who created it, it can also be an attacker created group. Mitigation Verify that the group creation was authorized, if not, revert changes and further investigate the user who made the changes. MITRE Tactic: TA0003 MITRE Technique: T1136

RDS Snapshot Export

an exporting of an Amazon RDS snapshot has started. Impact An attacker can export an RDS instance to in order to compromise a database. After a successful export he can also delete the original DB for ransom purposes, so it is advised to verify this activity quickly. Mitigation Verify with the initiating user that the export of the RDS snapshot is legitimate and approved. Stop the export if there is any suspicion of malicious activity and investigate further the user who initiated the export. MITRE Tactic: TA0010 MITRE Technique: T1537 MITRE Sub-Technique: 002

Deletion of RDS Instance/Cluster

Deletion of an Amazon RDS cluster/database instance. Impact Deletion of a cluster/database should always we validated as an authorized action. Attackers tend to delete databases after exfiltrating them for ransom or other malicious purposes. Mitigation Verify that the deletion was intended and authorized, stop the action and revert and further investigate if not. MITRE Tactic: TA0040 MITRE Technique: T1485

RDS Instance Creation

Creation of an Amazon RDS instance. Impact An attacker can use an RDS instance to copy another instance or to store different persistence mechanisms in a database. He can also spend resources to harm the organization. Mitigation Verify that the creation of the RDS instance was authorized, further investigate the user who created it if not. MITRE Tactic: TA0003

RDS Instance/Cluster Stopped

An Amazon RDS cluster or instance had been stopped. Impact An adversary stopping an instance or cluster can hurt production services and hinder the organization services. Mitigation Verify that the stop action was authorized, revert and investigate further if not. MITRE Tactic: TA0040 MITRE Technique: T1489

RDS Cluster Creation

Creation of a new Amazon RDS cluster or Global Cluster. Impact An RDS cluster is a multi-zone group of RDS instances. An attacker can use an RDS cluster to copy another cluster or to store different persistence mechanisms in a cluster. He can also spend resources to harm the organization. Mitigation Verify that the creation of the RDS cluster was authorized, further investigate the user who created it if not. MITRE tactic: TA0003 MITRE Technique: T1133

RDS Security Group Deletion

Deletion of an Amazon RDS Security group. Impact Deleting a security group can allow/deny access to RDS instances. An attacker can use this method to allow himself access or deny legitimate users access to resources. Mitigation Verify that the group deletion was authorized, if not, revert changes and further investigate the user who made the changes. MITRE Tactic: TA0040 MITRE Technique: T1531

RDS Snapshot Restored

An RDS snapshot restore operation has occurred. Impact An adversary restoring an RDS snapshot can overwrite current database data or restore it to a different location as a means to exfiltrate the data. Mitigation Verify that the restore operation was authorized, further investigate the user who created it if not and consider reverting the changes if possible. MITRE Tactic: TA0005 MITRE Technique: T1578

AWS RDS - Database was created with no encryption

RDS none encrypted database creation was detected. A new database was created with no data encryption algorithm enabled on it. Impact Data can be read from RDS instances if compromised Mitigation Enable RDS encryption on the relevant database. MITRE Tactics: TA0009 MITRE Technique: T1530

AWS RDS - Database was made public

RDS modification to public access was detected. When a database is public anyone from the world can access it. Impact Public databases are more vulnerable to different attacks like D/DOS SQL injection and other that can affect the business continuity. Mitigation It is suggested to change the Database back to not being publicly available and use VPN connection in order to connect to the database. MITRE Tactic: TA0001 MITRE Technique: T1190

Documentation

Learn more about Coralogix's out-of-the-box integration with Amazon RDS in our documentation.

Read More
Schedule Demo