AWS RDS security group created unexpectedly
Description
AlphaSOC detected the creation of an AWS Relational Database Service (RDS) security group. Security groups act as virtual firewalls for RDS instances, controlling inbound and outbound traffic. While creating security groups is a normal administrative task, unexpected or unauthorized changes to these groups could indicate an attempt to modify security settings, potentially exposing database instances to unauthorized access. Security groups created by AWS services are exempt from the detection to avoid false positives.
Impact
Improperly configured RDS security groups can lead to significant security vulnerabilities. An overly permissive security group can allow unauthorized access to sensitive data stored in RDS instances. Threat actors could exploit these misconfigurations to gain access to databases, potentially leading to data breaches, unauthorized data manipulation, or the use of database resources for malicious purposes.
Severity
Severity | Condition |
---|---|
Informational | Creation of RDS security group with added inbound rules |
Low | Creation of RDS security group by a client with an unexpected user agent |
Low | Creation of RDS security group by a client IP within an unexpected ASN |
Investigation and Remediation
Verify the identity of the user who created the group and confirm that the action was authorized. Review the inbound and outbound rules of the security group for overly permissive settings. If the creation is unauthorized or misconfigured, remove the security group or adjust its rules to meet security best practices.
Known False Positives
- Automated scripts or infrastructure-as-code tools creating security groups during approved deployments
- Security groups created as part of disaster recovery or business continuity exercises
- Temporary security groups created for testing or development purposes in non-production environments