Suspicious AWS API calls indicating AWS RDS instance with disabled encryption
Description
AlphaSOC detected that encryption for an AWS RDS instance was disabled through an API call, indicating that the data is now stored unencrypted. Threat actors may exploit this misconfiguration to access sensitive data stored in the database.
Impact
This action may indicate an ongoing compromise in which adversaries attempt to modify access controls to bypass encryption that would otherwise protect the data. Unencrypted AWS RDS instances undermine an organization's security and can result in violations of regulatory requirements, compliance penalties, and reputational damage.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user responsible for disabling encryption for the AWS RDS instance. Verify whether this action was authorized. If unauthorized, reenable encryption on the instance and rotate the credentials used to perform this action. Consider updating security policies to enforce encryption for all AWS RDS instances.