Skip to main content

An AWS RDS snapshot was modified to allow public access

ID:aws_rds_snapshot_public
Data type:AWS CloudTrail
Severity:
Medium
MITRE ATT&CK:TA0010:T1537

Description

AlphaSOC detected that an AWS Relational Database Service (RDS) snapshot was modified to allow public access. This action exposes the database snapshot to the internet, potentially granting unauthorized access to sensitive data. Threat actors may exploit this misconfiguration to exfiltrate data or gain insights into the database structure.

Impact

Making an RDS snapshot publicly available can lead to unauthorized data exposure. Unauthorized parties can possibly access and download the snapshot, potentially compromising sensitive information such as customer data, financial records, or proprietary business information.

Severity

SeverityCondition
Medium
AWS RDS snapshot made publicly accessible

Investigation and Remediation

Determine who released the RDS snapshot and why. Review access logs to determine if unauthorized parties have accessed the snapshot. Immediately revoke public access and ensure that all RDS snapshots are set to private. Rotate any credentials that may have been exposed.

Known False Positives

  • Testing environments where public access is intentionally allowed for development purposes
  • Snapshots containing non-sensitive data made publicly available, e.g. sample data