AWS DynamoDB table restored from backup
Description
AlphaSOC detected that an AWS DynamoDB table was restored from a backup using
the RestoreTableFromBackup action. This API call allows users to create a new
table from an existing backup. Adversaries may exploit this functionality to
alter or replace data stored in AWS DynamoDB.
Impact
Restoring an AWS DynamoDB table from a backup may erase evidence of malicious activity or introduce manipulated data into the system. Such actions could compromise data integrity or disrupt business operations.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Compare the restored table's data with the most recent approved state and review AWS CloudTrail logs to identify the IAM user or role who initiated the action. Verify whether the action was authorized. If unauthorized, restore the table to its original state, investigate the incident, and revoke potentially compromised credentials.