rds instances or clusters may be intentionally deleted by database administrators or during planned decommissioning activities. verify the user identity, source ip, and change context to ensure the deletion is expected. cloudformation stack removals and automated cleanup workflows may also trigger these events and can be exempted if known and authorized.

t1485
aws
elastic

Techniques

T1485

Sample rules

AWS RDS DB Instance or Cluster Deleted

source: elastic
technicques:
- T1485

Description

Identifies the deletion of an Amazon RDS DB instance, Aurora cluster, or global database cluster. Deleting these resources permanently destroys stored data and can cause major service disruption. Adversaries with sufficient permissions may delete RDS resources to impede recovery, destroy evidence, or inflict operational impact on the environment.

Detection logic

event.dataset: aws.cloudtrail 
    and event.provider: rds.amazonaws.com 
    and event.action: (DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)
    and event.outcome: success