AWS RDS DB Instance Restored

Last updated 5 months ago on 2025-01-15

Created 4 years ago on 2021-06-29

About

An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS `RestoreDBInstanceFromDBSnapshot` or `RestoreDBInstanceFromS3` API operations.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS RDSUse Case: Asset VisibilityTactic: Defense EvasionLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Modify Cloud Compute Infrastructure (T1578)(opens in a new tab or window)

False Positive Examples

Restoring DB instances may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instance restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(opens in a new tab or window)
Query

any where event.dataset == "aws.cloudtrail"
    and event.provider == "rds.amazonaws.com"
    and event.action in ("RestoreDBInstanceFromDBSnapshot", "RestoreDBInstanceFromS3")
    and event.outcome == "success"

Install detection rules in Elastic Security

Detect AWS RDS DB Instance Restored in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).