AWS RDS snapshot copied
Description
AlphaSOC detected that an AWS RDS snapshot was copied using the
CopyDBClusterSnapshot or CopyDBSnapshot API action. These actions create
copies of existing snapshots, which contain point-in-time backups of storage
volumes or databases. Threat actors may copy snapshots to external accounts or
regions as a method of data exfiltration.
Impact
Unauthorized snapshot copying can lead to data breaches as snapshots often contain complete copies of production databases or file systems with sensitive information. This activity may indicate an attempt to exfiltrate intellectual property, customer data, or other confidential information from your AWS infrastructure.
Severity
| Severity | Condition |
|---|---|
Low | AWS RDS snapshot copied |
Investigation and Remediation
Review AWS CloudTrail logs to identify who initiated the snapshot copy, the destination account or region, and verify whether this action was authorized. Check if the destination is within your organization's control. If unauthorized, immediately revoke the compromised credentials, delete any unauthorized snapshot copies, and audit CloudTrail logs for other suspicious activities by the same principal.