Techniques
Sample rules
RDS Database Security Group Modification
- source: sigma
- technicques:
- t1190
Description
Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
Detection logic
condition: selection
selection:
eventName:
- AuthorizeDBSecurityGroupIngress
- CreateDBSecurityGroup
- DeleteDBSecurityGroup
- RevokeDBSecurityGroupIngress
eventSource: rds.amazonaws.com