AWS RDS instance password changed unexpectedly
Description
AlphaSOC detected a password change for an AWS Relational Database Service (RDS) instance or a cluster. This event could indicate legitimate administrative activity or potentially unauthorized access. Unexpected or unauthorized password changes for critical cloud resources, such as RDS databases, warrant immediate attention and investigation. Actions initiated by security or Infrastructure-as-Code (IaC) tools and AWS services are exempt from the detection to avoid false positives.
Impact
Unauthorized changes to AWS RDS passwords can lead to serious security breaches. A threat actor with database access could exfiltrate sensitive data, manipulate records, or use the compromised database as a pivot point for further lateral movement within the cloud environment.
Severity
Severity | Condition |
---|---|
Informational | Change of RDS instance or cluster password |
Low | Change of RDS instance or cluster password by a client with an unexpected user agent |
Low | Change of RDS instance or cluster password by a client IP within an unexpected ASN |
Low | Change of RDS instance or cluster password by a client accompanied by an unexpected action |
Investigation and Remediation
Investigate the legitimacy of the password change by correlating the event with approved change requests. Review AWS CloudTrail logs to identify the user who initiated the change and from which IP address. If unauthorized, immediately reset the RDS password, revoke any active sessions, and conduct a thorough audit of database activity since the password change.
Known False Positives
- Password resets due to forgotten credentials by authorized personnel