An attacker who wants to access RDS instance data can create a snapshot of the instance, then share the snapshot outside of your AWS account.
RDS databases can be copied into snapshots, which can then be copied outside of your organization. As disks typically contain sensitive data, this can lead to uncontrolled data leaks.
An attacker can share an RDS snapshot with their AWS account, or make it publicly accessible. After doing so, they would typically copy the snapshot in an environment they control to access the data.
You can identify when a snapshot of an RDS volume is taken using the CloudTrail event
Then, you can identify when an RDS snapshot is shared (publicly or with another AWS account) using the event
ModifyDBSnapshotAttribute. Below is an example of what the
requestParameters attribute looks like when an RDS snapshot is shared with an external AWS account:
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.exfiltration.rds-share-snapshot
See also the related documentation.
How Datadog can help
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Possible RDS Snapshot Exfiltration".
Exfiltrate RDS Snapshot by Sharing
Sample incident where an RDS snapshot was stolen
Sharing a DB snapshot