Skip to main content

IAM role attached to an AWS RDS instance unexpectedly

ID:aws_rds_attach_role_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0004:T1098.003

Description

AlphaSOC detected that an Identity and Access Management (IAM) role was attached to an AWS Relational Database Service (RDS) instance. This action can be part of legitimate system administration but may also indicate an attempt to escalate privileges or gain unauthorized access to database resources. Actions initiated by AWS services and failed attempts are exempt from detection to avoid false positives.

Impact

Attaching an IAM role to an RDS instance can significantly alter the instance's permissions and access capabilities. Depending on the permissions granted by the IAM role, the instance could gain the ability to interact with other AWS services (e.g. accessing S3 buckets, invoking Lambda functions, or modifying DynamoDB tables), or execute operations outside the scope of its intended purpose. This can lead to privilege escalation, data breaches, or unauthorized modifications to resources if misused, particularly in the hands of a threat actor.

Severity

SeverityCondition
Informational
IAM role attached to an RDS instance
Low
IAM role attached to an RDS instance by a client with an unexpected user agent
Low
IAM role attached to an RDS instance by a client IP within an unexpected ASN

Investigation and Remediation

Investigate the specifics of the IAM role attached and the RDS instance involved to verify if this action was authorized. Review the permissions granted by the role and ensure they adhere to the principle of least privilege. If unauthorized, immediately detach the role, rotate any compromised credentials, and investigate for signs of data access or manipulation.

Known False Positives

  • Legitimate system administrators attaching roles as part of authorized database management tasks