Skip to main content

AWS API calls indicating RDS data destruction

ID:aws_rds_destruction
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0040:T1485

Description

AlphaSOC detected the use of AWS APIs indicating potential data destruction activity in the Relational Database Service (RDS). This detection indicates that someone is attempting to delete or destroy data stored in RDS databases. Actions initiated by AWS services and security tools, as well as failed attempts, are excluded from detection to avoid false positives.

Impact

Unauthorized RDS data destruction can have significant consequences for an organization. Without proper backups, the immediate technical consequences include complete loss of database records, disruption of application functionality, and potential system downtime during recovery attempts. Recovery efforts can be time consuming and costly, potentially impacting business continuity. Additionally, regulatory and compliance issues can result in financial penalties.

Severity

SeverityCondition
Informational
Unexpected action, ASN, User Agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Review AWS CloudTrail logs to understand the scope of the activity and identify any other potentially malicious actions. If action was unauthorized, isolate affected systems, revoke compromised credentials, and initiate incident response procedures. Restore affected databases from the most recent backup.

Known False Positives

  • Authorized database cleanup or decommissioning activities
  • Legitimate database schema changes or updates that involve dropping and recreating tables
  • Routine maintenance activities performed by database administrators