Skip to main content

AWS RDS export task to an unknown S3 bucket initiated

ID:aws_rds_export_task_unknown
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0010:T1567.002

Description

AlphaSOC detected an initiation of an AWS Relational Database Service (RDS) export task. This operation involves exporting data from an RDS database instance to an Amazon Simple Storage Service (S3) bucket. While often used for legitimate purposes like backups or data analysis, threat actors may exploit this feature to exfiltrate sensitive data from compromised databases. Actions initiated by AWS services and failed attempts are exempt from detection to avoid false positives.

Impact

Unauthorized RDS export tasks can lead to significant data breaches. Attackers may gain access to sensitive information stored in databases, including customer data, financial records, or proprietary information. This exfiltrated data could be used for various malicious purposes, such as identity theft, financial fraud, or corporate espionage.

Severity

SeverityCondition
Low
AWS RDS export task initiated by a client with an unexpected user agent
Low
AWS RDS export task initiated by a client IP within an unexpected ASN
Low
AWS RDS export task initiated by a client accompanied by an unexpected action
Medium
AWS RDS export task initiated to an unknown S3 bucket

Investigation and Remediation

Review AWS CloudTrail logs to identify the user or role that initiated the task and investigate the legitimacy of the RDS export task. Examine the destination S3 bucket's permissions and access logs. If the export is unauthorized, immediately revoke access, delete the exported data, and investigate for signs of broader compromise.

Known False Positives

  • Legitimate data exports for analysis or reporting purposes