An AWS RDS snapshot was modified to allow public access
Description
AlphaSOC detected that an AWS Relational Database Service (RDS) snapshot was modified to allow public access. This action exposes the database snapshot to the internet, potentially granting unauthorized access to sensitive data. Threat actors may exploit this misconfiguration to exfiltrate data or gain insights into the database structure.
Impact
Making an RDS snapshot publicly available can lead to unauthorized data exposure. Unauthorized parties can possibly access and download the snapshot, potentially compromising sensitive information such as customer data, financial records, or proprietary business information.
Severity
Severity | Condition |
---|---|
Medium | AWS RDS snapshot made publicly accessible |
Investigation and Remediation
Determine who released the RDS snapshot and why. Review access logs to determine if unauthorized parties have accessed the snapshot. Immediately revoke public access and ensure that all RDS snapshots are set to private. Rotate any credentials that may have been exposed.
Known False Positives
- Testing environments where public access is intentionally allowed for development purposes
- Snapshots containing non-sensitive data made publicly available, e.g. sample data