Skip to main content

AWS RDS snapshot created manually

ID:aws_rds_snapshot_created
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0010:T1537

Description

AlphaSOC detected a manual creation of an AWS Relational Database Service (RDS) snapshot or cluster snapshot. While snapshots are a legitimate feature for backing up and restoring databases, manual snapshot creation outside of scheduled backups can indicate unauthorized data access or exfiltration attempts. Security or Infrastructure-as-Code (IaC) tools and snapshots created by AWS services will not generate false positives as the snapshot must be classified as manual.

Impact

Unauthorized creation of RDS snapshots can lead to data breaches, as they contain complete copies of databases at a specific point in time. If accessed by threat actors, these snapshots could expose sensitive information, including customer data, financial records, or proprietary business information.

Severity

SeverityCondition
Low
Manually created RDS snapshot

Investigation and Remediation

Investigate the snapshot creation by identifying the responsible AWS user or role. Verify that the action was authorized and part of planned operations. If unauthorized, immediately delete the snapshot and revoke the privileges of the account that created it. Review database access logs and CloudTrail logs for suspicious activity.

Known False Positives

  • Authorized database administrators creating ad-hoc backups for testing or before major changes
  • Developers creating snapshots in development environments for testing purposes
  • Incident response teams creating snapshots during a security investigation