Techniques
Sample rules
AWS RDS DB Snapshot Shared with Another Account
- source: elastic
- technicques:
- T1537
Description
Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration.
Detection logic
any where event.dataset == "aws.cloudtrail"
and event.provider == "rds.amazonaws.com"
and event.outcome == "success"
and event.action in ("ModifyDBSnapshotAttribute", "ModifyDBClusterSnapshotAttribute")
and stringContains(aws.cloudtrail.request_parameters, "attributeName=restore")
and stringContains(aws.cloudtrail.request_parameters, "valuesToAdd=[*]")