AWS API calls indicating RDS data destruction
Description
AlphaSOC detected the use of AWS APIs indicating potential data destruction activity in the Relational Database Service (RDS). This detection indicates that someone is attempting to delete or destroy data stored in RDS databases. Actions initiated by AWS services and security tools, as well as failed attempts, are excluded from detection to avoid false positives.
Impact
Unauthorized RDS data destruction can have significant consequences for an organization. Without proper backups, the immediate technical consequences include complete loss of database records, disruption of application functionality, and potential system downtime during recovery attempts. Recovery efforts can be time consuming and costly, potentially impacting business continuity. Additionally, regulatory and compliance issues can result in financial penalties.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, User Agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to understand the scope of the activity and identify any other potentially malicious actions. If action was unauthorized, isolate affected systems, revoke compromised credentials, and initiate incident response procedures. Restore affected databases from the most recent backup.
Known False Positives
- Authorized database cleanup or decommissioning activities
- Legitimate database schema changes or updates that involve dropping and recreating tables
- Routine maintenance activities performed by database administrators