|
Data Encrypted for Impact: RDS Data Encryption
AWS Specific Sub-Technique
Other sub-techniques of Data Encrypted for Impact (3)
| ID | Name |
|---|---|
| T1486.A002 | EC2/EBS Data Encryption |
| T1486.A003 | RDS Data Encryption |
| T1486.A001 | S3 Encryption - SSE-C Key Encryption |
A prerequisite for this technique is that a threat actor has already gained access to AWS account credentials with permissions to modify RDS databases and their configurations.
Threat actors can attempt to encrypt data within RDS databases as part of ransom attacks. This can involve directly encrypting database contents, modifying database encryption settings, and potentially deleting database backups to prevent recovery.
Threat actors can attempt to encrypt data within RDS databases as part of ransom attacks. This can involve directly encrypting database contents, modifying database encryption settings, and potentially deleting database backups to prevent recovery.
Detection
When this technique is used, RDS actions will be logged in CloudTrail. You can use the Event history page in the AWS CloudTrail console to view the last 90 days of events related to RDS actions such as
A separate CloudTrail trail will provide an ongoing record of database modification events. Monitor for unexpected patterns such as rapid snapshot deletion, unusual encryption key changes, or multiple database modifications. CloudWatch metric filters can be created to alert on critical RDS API calls, particularly those affecting encryption settings or backup configurations.
Amazon GuardDuty findings may indicate unusual database access patterns or suspicious API calls related to RDS resources. Additionally, GuardDuty RDS Protection detects anomalous login behavior on RDS database instances.
rds:CopyDBSnapshot or rds:DeleteDBSnapshot.A separate CloudTrail trail will provide an ongoing record of database modification events. Monitor for unexpected patterns such as rapid snapshot deletion, unusual encryption key changes, or multiple database modifications. CloudWatch metric filters can be created to alert on critical RDS API calls, particularly those affecting encryption settings or backup configurations.
Amazon GuardDuty findings may indicate unusual database access patterns or suspicious API calls related to RDS resources. Additionally, GuardDuty RDS Protection detects anomalous login behavior on RDS database instances.
Mitigation
Implement strict IAM policies that limit RDS modification permissions to authorized personnel and require MFA for critical changes. For an example on how to require MFA for deletion, see this AWS blog post. Configure automated backups with appropriate retention periods and implement cross-region backup copies to protect against regional incidents or malicious deletion. For more information about cross-region automated backups, see the AWS documentation here.