Rules Contributing to Suspicious AWS RDS Event

The following rules are used to identify suspicious activity related to AWS RDS events. Any one or more of these will trigger Suspicious AWS RDS Event Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Restore Public AWS RDS Instance

Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.

AWS RDS Master Password Change

Detects the change of database master password. It may be a part of data exfiltration.

AWS RDS Snapshot Export

Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.

AWS RDS Cluster Creation

Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.

AWS RDS Snapshot Restored

Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.

AWS RDS Instance/Cluster Stoppage

Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.

AWS Deletion of RDS Instance or Cluster

Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance.

AWS RDS Security Group Deletion

Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.

AWS RDS Instance Creation

Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.

AWS RDS Snapshot Created

A copy of an AWS RDS database has been created.

AWS RDS Security Group Modified

A RDS security group has been modified.