db snapshot sharing is a common practice in aws environments. ensure that the sharing is authorized before taking action.

t1537
aws
elastic

Techniques

T1537

Sample rules

AWS RDS DB Snapshot Shared with Another Account

source: elastic
technicques:
- T1537

Description

Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration.

Detection logic

any where event.dataset == "aws.cloudtrail"
    and event.provider == "rds.amazonaws.com"
    and event.outcome == "success"
    and event.action in ("ModifyDBSnapshotAttribute", "ModifyDBClusterSnapshotAttribute") 
    and stringContains(aws.cloudtrail.request_parameters, "attributeName=restore")
    and stringContains(aws.cloudtrail.request_parameters, "valuesToAdd=[*]")