|
Data from Information Repositories: RDS Instance Manipulation
AWS Specific Sub-Technique
Other sub-techniques of Data from Information Repositories (6)
| ID | Name |
|---|---|
| T1213.A013 | RDS Instance Manipulation |
AWS Specific Content
A prerequisite for this technique is that an Amazon RDS instance has been configured to be publicly accessible from the internet and has unrestricted or overly permissive VPC Security Groups assigned
A threat actor can access an Amazon RDS instance to view, modify, copy, or delete data from an RDS instance. Threat actors delete databases and tables as part of extortion attempts and have created ransom notes for the victims in RDS instances through data insertion.
Detection
AWS Specific Content
Configure, review, and monitor VPC Flow logs for access to the RDS instance. If a threat actor attempts to access and log in to your RDS instance, and you have Amazon GuardDuty with GuardDuty RDS Protection configured within the AWS account, a GuardDuty finding may be created for this activity. For example, the CredentialAccess:RDS/AnomalousBehavior.FailedLogin finding is used to identify when one or more unusual failed login attempts were observed on an RDS database in your account. To view additional information on the GuardDuty RDS Protection finding types, click here, and for more information on GuardDuty RDS Protection, click here.
You can also configure audit logs to capture database activities for Amazon RDS, which may log unauthorized actions performed by a threat actor within the RDS data plane.
Mitigation
AWS Specific Content
Configure the RDS instance so that it is not publicly accessible. This removes the public IP address from the RDS instance, and mitigates access from the public internet. Make sure that the security groups assigned to the RDS instance permit only necessary and authorized hosts. Information on how to control access with security groups on RDS is available here and here; and a tutorial on how to move an RDS instance from a public subnet to a private subnet is presented in this video. Additionally, consider the use of IAM database authentication instead of password-based authentication as this allows you to centrally manage access to your database resources. Amazon recommends using cloud native authorization and access mechanisms, such as a virtual private cloud (VPC), instead of IP address based permits and permissions, such as security groups, as controlling access to an RDS instance using a private VPC is more robust than IP address based permissions.
You can also use AWS Config Rules to check if the RDS instances are publicly accessible. Security Hub controls can also check whether RDS instances prohibit public access.
This technique is typically used by threat actors as part of a ransomware campaign. AWS has published several resources on how to protect against ransomware and mitigate some of the actions described by this technique.