AWS RDS DB Instance Made Public

About

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS RDSUse Case: Threat DetectionTactic: PersistenceTactic: Defense EvasionLanguage: eql

Severity

medium

Risk Score

47

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Modify Authentication Process (T1556)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

False Positive Examples

Public access is a common configuration used to enable access from outside a private VPC. Ensure that the instance should not be modified in this way before taking action.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

filebeat-*logs-aws.cloudtrail-*

Related Integrations

aws(opens in a new tab or window)

Query

any where event.dataset == "aws.cloudtrail"
    and event.provider == "rds.amazonaws.com"
    and event.outcome == "success"
    and (
        (event.action == "ModifyDBInstance" and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true"))
        or
        (event.action in ("CreateDBInstance", "CreateDBCluster") and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true"))
    )