AWS RDS export task initiated unexpectedly
Description
AlphaSOC detected an initiation of an AWS Relational Database Service (RDS) export task. This operation involves exporting data from an RDS database instance to an Amazon Simple Storage Service (S3) bucket. While often used for legitimate purposes like backups or data analysis, threat actors may exploit this feature to exfiltrate sensitive data from compromised databases. Actions initiated by AWS services and failed attempts are exempt from detection to avoid false positives.
Impact
Unauthorized RDS export tasks can lead to significant data breaches. Attackers may gain access to sensitive information stored in databases, including customer data, financial records, or proprietary information. This exfiltrated data could be used for various malicious purposes, such as identity theft, financial fraud, or corporate espionage.
Severity
Severity | Condition |
---|---|
Low | AWS RDS export task initiated by a client with an unexpected user agent |
Low | AWS RDS export task initiated by a client IP within an unexpected ASN |
Low | AWS RDS export task initiated by a client accompanied by an unexpected action |
Medium | AWS RDS export task initiated to an unknown S3 bucket |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user or role that initiated the task and investigate the legitimacy of the RDS export task. Examine the destination S3 bucket's permissions and access logs. If the export is unauthorized, immediately revoke access, delete the exported data, and investigate for signs of broader compromise.
Known False Positives
- Legitimate data exports for analysis or reporting purposes