Skip to main content

AWS RDS snapshot unexpectedly created and made public

ID:aws_rds_snapshot_created_public_anomaly
Data type:AWS CloudTrail
Severity:
Low
-
Medium
MITRE ATT&CK:TA0010:T1537

Description

AlphaSOC detected that an AWS Relational Database Service (RDS) snapshot or cluster snapshot was created and made publicly accessible. This action exposes database contents to anyone with an AWS account, potentially leading to unauthorized access and data breaches. Legitimate security tools and snapshots created by AWS services are exempt from the detection to avoid false positives.

Impact

A public RDS snapshot poses significant security risks as it can lead to unauthorized data access, intellectual property theft, and compliance violations. Threat actors can use this information to plan further attacks, exploit vulnerabilities, and steal or expose sensitive data.

Severity

SeverityCondition
Low
Creation of a public RDS snapshot
Medium
Creation of a public RDS snapshot by a client with an unexpected HTTP user agent
Medium
Creation of a public RDS snapshot by a client IP within an unexpected ASN
Medium
Creation of a public RDS snapshot by a client accompanied by an unexpected action

Investigation and Remediation

Investigate who created the public snapshot and why. Review access logs and change in history. If unauthorized, immediately change the snapshot's permissions to private. Assess whether any sensitive data was exposed and take appropriate actions, such as notifying affected parties.

Known False Positives

  • Snapshots intentionally made public for sharing non-sensitive data with partners or the public
  • Testing or development environments where public snapshots are used (though this is not recommended)
  • Misconfigurations during automated backup or disaster recovery processes