
Summary
This detection rule focuses on identifying the creation or modification of an AWS RDS (Relational Database Service) DB instance that allows public access, which presents a security risk by potentially exposing sensitive data to unauthorized users. Adversaries may exploit this functionality to maintain persistence within compromised environments or to bypass access controls in place. The rule utilizes Event Query Language (EQL) to monitor AWS CloudTrail logs for actions indicative of public access being enabled on DB instances. Specifically, it looks for successful operations, either modifying an existing instance or creating new DB instances or clusters with the `publiclyAccessible` parameter set to true. The detection logic incorporates checks for CloudTrail event parameters to identify such instances while also factoring in user identity fields to ascertain the legitimacy of the actions taken. Control measures include investigating user actions, reviewing changes, and ensuring configurations align with organizational best practices for instance accessibility, while also recommending incident response procedures in the event of unauthorized access being granted.
Categories
- Cloud
- AWS
- AWS
- Database
Data Sources
- Cloud Storage
- User Account
- Cloud Service
- Network Traffic
ATT&CK Techniques
- T1556
- T1556.009
Created: 2024-06-29