Modification or Deletion of an AWS RDS Cluster

Original Source: [Sigma source]

Title: Modification or Deletion of an AWS RDS Cluster
Status: experimental
Description:Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
References:
-https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html
-https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html
-https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance
Author: Ivan Saakov
Date: 2024-12-06
modified:None
Tags:

-'attack.exfiltration'
-'attack.t1020'

Logsource:

product: aws
service: cloudtrail

Detection:
selection:
eventSource: 'rds.amazonaws.com'
eventName:
-'ModifyDBCluster'
-'DeleteDBCluster'

condition:selection
Falsepositives:
-Verify if the modification or deletion was performed by an authorized administrator.
-Confirm if the modification or deletion was part of a planned change or maintenance activity.
Level: high

Sign Up to Personalize and Manage Your Detection

Modification or Deletion of an AWS RDS Cluster