AWS RDS snapshot created and made public
Description
AlphaSOC detected that an AWS Relational Database Service (RDS) snapshot or cluster snapshot was created and made publicly accessible. This action exposes database contents to anyone with an AWS account, potentially leading to unauthorized access and data breaches. Legitimate security tools and snapshots created by AWS services are exempt from the detection to avoid false positives.
Impact
A public RDS snapshot poses significant security risks as it can lead to unauthorized data access, intellectual property theft, and compliance violations. Threat actors can use this information to plan further attacks, exploit vulnerabilities, and steal or expose sensitive data.
Severity
Severity | Condition |
---|---|
Low | Creation of a public RDS snapshot |
Medium | Creation of a public RDS snapshot by a client with an unexpected HTTP user agent |
Medium | Creation of a public RDS snapshot by a client IP within an unexpected ASN |
Medium | Creation of a public RDS snapshot by a client accompanied by an unexpected action |
Investigation and Remediation
Investigate who created the public snapshot and why. Review access logs and change in history. If unauthorized, immediately change the snapshot's permissions to private. Assess whether any sensitive data was exposed and take appropriate actions, such as notifying affected parties.
Known False Positives
- Snapshots intentionally made public for sharing non-sensitive data with partners or the public
- Testing or development environments where public snapshots are used (though this is not recommended)
- Misconfigurations during automated backup or disaster recovery processes