restoring an rds db instance may be performed legitimately during troubleshooting, development refresh processes, migrations, or disaster-recovery drills. validate the user identity, source ip, automation context, and whether the restoration aligns with a known maintenance or testing workflow before treating the event as suspicious. expected behavior can be exempted through rule exceptions.

t1578
aws
elastic

Techniques

T1578

Sample rules

AWS RDS DB Instance Restored

source: elastic
technicques:
- T1578

Description

Identifies the restoration of an AWS RDS database instance from a snapshot or S3 backup. Adversaries with access to valid credentials may restore copies of existing databases to bypass logging and monitoring controls or to exfiltrate sensitive data from a duplicated environment. This rule detects successful restoration operations using “RestoreDBInstanceFromDBSnapshot” or “RestoreDBInstanceFromS3”, which may indicate unauthorized data access or post-compromise defense evasion.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "rds.amazonaws.com"
    and event.action: ("RestoreDBInstanceFromDBSnapshot" or "RestoreDBInstanceFromS3")
    and event.outcome: "success"