Stealing an RDS database by creating a snapshot and sharing it







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




An attacker who wants to access RDS instance data can create a snapshot of the instance, then share the snapshot outside of your AWS account.

Understanding Impact

Business Impact

RDS databases can be copied into snapshots, which can then be copied outside of your organization. As disks typically contain sensitive data, this can lead to uncontrolled data leaks.

Technical Impact

An attacker can share an RDS snapshot with their AWS account, or make it publicly accessible. After doing so, they would typically copy the snapshot in an environment they control to access the data.


You can identify when a snapshot of an RDS volume is taken using the CloudTrail event CreateDBSnapshot.

Then, you can identify when an RDS snapshot is shared (publicly or with another AWS account) using the event ModifyDBSnapshotAttribute. Below is an example of what the requestParameters attribute looks like when an RDS snapshot is shared with an external AWS account:

"requestParameters": {
  "dBSnapshotIdentifier": "db-snapshot",
  "attributeName": "restore"
  "valuesToAdd": ["0123456789012"],

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate aws.exfiltration.rds-share-snapshot

See also the related documentation.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Possible RDS Snapshot Exfiltration".


Exfiltrate RDS Snapshot by Sharing

Sample incident where an RDS snapshot was stolen

Sharing a DB snapshot

aws documentation

Did you find this article helpful?

Related Vulnerabilities and Threats