An AWS RDS instance was modified to allow public access
Description
AlphaSOC detected a modification to an AWS Relational Database Service (RDS) instance that allows public access. The RDS instance is a managed database service that allows users to set up, operate, and scale relational databases in the cloud. This change exposes the database to the internet, potentially granting unauthorized access to sensitive data. This modification can occur when security groups or network access controls are altered to permit inbound traffic from any IP address, thereby bypassing established security measures.
Impact
An AWS RDS instance modified for public access exposes the database to the Internet, potentially allowing unauthorized users to access sensitive data. They may attempt to exploit vulnerabilities, brute-force credentials, or directly access sensitive data. Additionally, adversaries could use the public database for further attacks within the cloud environment.
Severity
Severity | Condition |
---|---|
Low | RDS instance modified for public access |
Investigation and Remediation
Investigate the RDS instance configuration changes, identifying who made the modification and why. If the change was unintended, revert the RDS instance to a private configuration. Review database access logs for any suspicious activity.
Known False Positives
- Temporary public access granted for authorized data migration or integration with external services
- Public access within controlled IP ranges to authorized users, such as IPs of company offices or trusted VPNs
- Legitimate business requirement for a publicly accessible database (though not recommended)