LoFP / cross-account db snapshot sharing is common in multi-account aws organizations, particularly for backup workflows, migrations, analytics pipelines, and disaster recovery. ensure the added account is expected, previously approved, and aligns with operational change plans before taking action.

Techniques

• T1537

Sample rules

AWS RDS DB Snapshot Shared with Another Account

• source: elastic
• technicques:
  • T1537

Description

Identifies when an AWS RDS DB snapshot is shared with another AWS account or made public. DB snapshots contain complete backups of database instances, including schemas, table data, and sensitive application content. When shared externally, snapshots can be restored in another AWS environment, enabling unauthorized access, offline analysis, or data exfiltration. Adversaries who obtain valid credentials or exploit misconfigurations may modify snapshot attributes to grant access to accounts they control, bypassing network, IAM, and monitoring controls.

Detection logic

info where event.dataset == "aws.cloudtrail"
    and event.provider == "rds.amazonaws.com"
    and event.outcome == "success"
    and event.action in ("ModifyDBSnapshotAttribute", "ModifyDBClusterSnapshotAttribute")
    and stringContains(aws.cloudtrail.request_parameters, "attributeName=restore")
    and stringContains(aws.cloudtrail.request_parameters, "valuesToAdd=[*]")