Triggers
- An AWS control-plane API was invoked which modified the attributes of a RDS snapshot granting either an unknown, external account or the public the ability to restore a RDS database from the snapshot.
Possible Root Causes
- An attacker may be exfiltrating data contained in the RDS database by sharing a snapshot externally.
- An authorized administrator may be performing backup or disaster recovery activities or sharing snapshots in order to coordinate troubleshooting efforts.
Business Impact
- Exfiltration of RDS database snapshots by an attacker may expose details that support further attack progression. An impacted organization may incur data loss, impacting the confidentiality of sensitive information contained in the impacted RDS database.
Steps to Verify
- Investigate the Principal that performed the actions for other signs of malicious activity.
- Investigate for potential data loss.
- Validate that any modifications to snapshot attributes are authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration:
- Revert any configuration changes.
- Disable credentials associated with this alert.
- Perform a comprehensive investigation to determine initial compromise and scope of impacted resources.