public access is a common configuration used to enable access from outside a private vpc. ensure that the instance should not be modified in this way before taking action.

t1556
aws
elastic

Techniques

T1556

Sample rules

AWS RDS DB Instance Made Public

source: elastic
technicques:
- T1556

Description

Identifies the creation or modification of an AWS RDS DB instance to enable public access. DB instances may contain sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may enable public access on a DB instance to maintain persistence or evade defenses by bypassing access controls.

Detection logic

any where event.dataset == "aws.cloudtrail"
    and event.provider == "rds.amazonaws.com"
    and event.outcome == "success"
    and (
        (event.action == "ModifyDBInstance" and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true"))
        or 
        (event.action in ("CreateDBInstance", "CreateDBCluster") and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true"))
    )