IAM role attached to an AWS RDS instance
Description
AlphaSOC detected that an Identity and Access Management (IAM) role was attached to an AWS Relational Database Service (RDS) instance. This action can be part of legitimate system administration but may also indicate an attempt to escalate privileges or gain unauthorized access to database resources. Actions initiated by AWS services and failed attempts are exempt from detection to avoid false positives.
Impact
Attaching an IAM role to an RDS instance can significantly alter the instance's permissions and access capabilities. Depending on the permissions granted by the IAM role, the instance could gain the ability to interact with other AWS services (e.g. accessing S3 buckets, invoking Lambda functions, or modifying DynamoDB tables), or execute operations outside the scope of its intended purpose. This can lead to privilege escalation, data breaches, or unauthorized modifications to resources if misused, particularly in the hands of a threat actor.
Severity
Severity | Condition |
---|---|
Informational | IAM role attached to an RDS instance |
Low | IAM role attached to an RDS instance by a client with an unexpected user agent |
Low | IAM role attached to an RDS instance by a client IP within an unexpected ASN |
Investigation and Remediation
Investigate the specifics of the IAM role attached and the RDS instance involved to verify if this action was authorized. Review the permissions granted by the role and ensure they adhere to the principle of least privilege. If unauthorized, immediately detach the role, rotate any compromised credentials, and investigate for signs of data access or manipulation.
Known False Positives
- Legitimate system administrators attaching roles as part of authorized database management tasks