AWSCloudTrail - RDS instance publicly exposed
| Id | 8f1630c2-2e45-4df2-be43-50fba90f601d |
| Rulename | AWSCloudTrail - RDS instance publicly exposed |
| Description | Detects RDS instance creation or modification events where the database is configured as publicly accessible. Public exposure of database instances can increase the risk of unauthorized access and data leakage. |
| Severity | Medium |
| Tactics | Exfiltration |
| Techniques | T1537 |
| Required data connectors | AWS |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_RDSInstancePubliclyExposed.yaml |
| Version | 1.0.3 |
| Arm template | 8f1630c2-2e45-4df2-be43-50fba90f601d.json |
AWSCloudTrail
| where EventName in ("CreateDBInstance", "ModifyDBInstance") and isempty(ErrorCode) and isempty(ErrorMessage)
| where tostring(parse_json(RequestParameters).publiclyAccessible) == "true"
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
severity: Medium
name: AWSCloudTrail - RDS instance publicly exposed
alertDetailsOverride:
alertDescriptionFormat: Detected {{EventName}} event from {{SourceIpAddress}} setting RDS publicly accessible in account {{RecipientAccountId}}.
alertDisplayNameFormat: AWS RDS instance publicly exposed by {{AccountName}}
kind: Scheduled
triggerOperator: gt
query: |
AWSCloudTrail
| where EventName in ("CreateDBInstance", "ModifyDBInstance") and isempty(ErrorCode) and isempty(ErrorMessage)
| where tostring(parse_json(RequestParameters).publiclyAccessible) == "true"
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
tactics:
- Exfiltration
status: Available
version: 1.0.3
relevantTechniques:
- T1537
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_RDSInstancePubliclyExposed.yaml
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
- AWSCloudTrail
connectorId: AWS
id: 8f1630c2-2e45-4df2-be43-50fba90f601d
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- identifier: CloudAppAccountId
columnName: RecipientAccountId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
customDetails:
EventName: EventName
RecipientAccountId: RecipientAccountId
AWSRegion: AWSRegion
UserIdentityArn: UserIdentityArn
queryFrequency: 1h
queryPeriod: 1h
description: |
Detects RDS instance creation or modification events where the database is configured as publicly accessible.
Public exposure of database instances can increase the risk of unauthorized access and data leakage.