detection-rules
Loading

AWS RDS DB Instance Made Public

Identifies the creation or modification of an Amazon RDS DB instance or cluster where the "publiclyAccessible" attribute is set to "true". Publicly accessible RDS instances expose a network endpoint on the public internet, which may allow unauthorized access if combined with overly permissive security groups, weak authentication, or misconfigured IAM policies. Adversaries may enable public access on an existing instance, or create a new publicly accessible instance, to establish persistence, move data outside of controlled network boundaries, or bypass internal access controls.

Rule type: eql
Rule indices:

  • filebeat-*
  • logs-aws.cloudtrail-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-6m
Maximum alerts per execution: ?
References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS RDS
  • Resources: Investigation Guide
  • Use Case: Threat Detection
  • Tactic: Persistence
  • Tactic: Defense Evasion

Version: ?
Rule authors:

  • Elastic

Rule license: Elastic License v2

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.

This rule detects when an Amazon RDS DB instance or cluster is created or modified with publiclyAccessible=true. While some environments operate publicly accessible RDS instances, unexpected exposure of a database to the internet is a meaningful security risk. Adversaries who gain access to AWS credentials may modify a DB instance’s public accessibility to exfiltrate data, establish persistence, or bypass internal network restrictions.

  • Identify the actor

    • Review aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, and access_key_id to determine which IAM principal made the change.
    • Determine whether the user, role, or automation service typically manages RDS configurations.

  • Examine the request parameters

    • Review aws.cloudtrail.request_parameters for:
      • publiclyAccessible=true
      • DBInstanceIdentifier / DBClusterIdentifier
      • Additional changes included in the same modification request (e.g., master user changes, security group updates)

  • Validate the target resource

    • Determine the sensitivity of the instance (target.entity.id):
      • What data does it store?
      • Is it production, staging, dev, or ephemeral?
    • Confirm whether the instance was previously private.

  • Assess network exposure

    • Check associated security groups for:
      • 0.0.0.0/0 (unrestricted ingress)
      • Unexpected IP ranges
    • Review VPC/subnet placement to determine if the instance is reachable externally.

  • Correlate with other recent CloudTrail activity

    • Look for related events performed by the same actor:
      • AuthorizeSecurityGroupIngress
      • ModifyDBInstance
      • IAM policy modifications enabling broader DB access
    • Look for indicators of credential misuse:
      • unusual source.ip
      • unusual user_agent.original
      • MFA not used (session_context.mfa_authenticated=false)

  • Validate intent with owners

    • Contact the service or database owner to confirm whether the change was an approved part of a deployment or migration.
  • Expected public-access configuration
    • Some workloads intentionally require public access (e.g., internet-facing reporting tools).
    • Validate against change management tickets, deployment pipelines, or Terraform/IaC automation logs.

  • Containment

    • If exposure is unauthorized:
      • Modify the instance to disable public access (publiclyAccessible=false).
      • Restrict the security group inbound rules immediately.
      • Snapshot the instance to preserve state if compromise is suspected.

  • Investigation

    • Review all recent actions from the same IAM principal.
    • Check for data access patterns (CloudWatch, RDS Enhanced Monitoring, VPC Flow Logs).
    • Identify whether this exposure correlates with suspicious outbound network activity.

  • Hardening

    • Require private-only RDS instances unless explicitly documented.
    • Enforce security group least privilege and block public DB access via:
      • AWS Config rules (rds-instance-public-access-check)
      • Service Control Policies (SCPs) preventing public RDS settings
    • Implement continuous monitoring for network or configuration drift.

  • Recovery

    • Restore the database to a private subnet if necessary.
    • Rotate credentials used by the DB instance and associated applications.
    • Document the incident and update policies or IaC templates to prevent recurrence.
any where event.dataset == "aws.cloudtrail"
    and event.provider == "rds.amazonaws.com"
    and event.outcome == "success"
    and (
        (event.action == "ModifyDBInstance" and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true"))
        or
        (event.action in ("CreateDBInstance", "CreateDBCluster") and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true"))
    )

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK