About
An attacker who wants to access RDS instance data can create a snapshot of the instance, then share the snapshot outside of your AWS account.
Understanding Impact
Business Impact
RDS databases can be copied into snapshots, which can then be copied outside of your organization. As disks typically contain sensitive data, this can lead to uncontrolled data leaks.
Technical Impact
An attacker can share an RDS snapshot with their AWS account, or make it publicly accessible. After doing so, they would typically copy the snapshot in an environment they control to access the data.
Detection
You can identify when a snapshot of an RDS volume is taken using the CloudTrail event CreateDBSnapshot.
Then, you can identify when an RDS snapshot is shared (publicly or with another AWS account) using the event ModifyDBSnapshotAttribute. Below is an example of what the requestParameters attribute looks like when an RDS snapshot is shared with an external AWS account:
"requestParameters": {
"dBSnapshotIdentifier": "db-snapshot",
"attributeName": "restore"
"valuesToAdd": ["0123456789012"],
}
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.exfiltration.rds-share-snapshotSee also the related documentation.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Possible RDS Snapshot Exfiltration".
References
Exfiltrate RDS Snapshot by Sharing
stratus-red-team.cloud
Sample incident where an RDS snapshot was stolen
imperva.com
Sharing a DB snapshot
aws documentation