detection.wiki

Detection rules › Panther

IAM Role Added to RDS Instance or Cluster

Severity
medium
Group by
awsRegion, recipientAccountId, requestParameters.dBInstanceIdentifier
Log types
AWS.CloudTrail
Tags
AWS, Persistence, Privilege Escalation, Additional Cloud Credentials, RDS
Reference
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PostgreSQL.S3Import.html
Source
github.com/panther-labs/panther-analysis

Detects when IAM roles are added to RDS instances or clusters. While legitimate for features like S3 import/export, attackers may add overly permissive roles to maintain access or escalate privileges for data exfiltration.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1078.004 Valid Accounts: Cloud Accounts, T1098.001 Account Manipulation: Additional Cloud Credentials
Privilege EscalationT1078.004 Valid Accounts: Cloud Accounts, T1098.001 Account Manipulation: Additional Cloud Credentials

Rule body yaml

AnalysisType: rule
Filename: aws_rds_iam_role_added.py
RuleID: "AWS.RDS.IAMRoleAdded"
DisplayName: "IAM Role Added to RDS Instance or Cluster"
Enabled: true
LogTypes:
  - AWS.CloudTrail
Tags:
  - AWS
  - Persistence
  - Privilege Escalation
  - Additional Cloud Credentials
  - RDS
Severity: Medium
Description: >
  Detects when IAM roles are added to RDS instances or clusters. While legitimate for features
  like S3 import/export, attackers may add overly permissive roles to maintain access or
  escalate privileges for data exfiltration.
Runbook: |
  1. Find all IAM role additions by the user ARN in the past 24 hours
  2. Check if this user has added IAM roles to databases in the past 90 days to determine if this is normal behavior
  3. Look for data export or modification operations from this database in the 48 hours after the role was added
Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PostgreSQL.S3Import.html
Reports:
  MITRE ATT&CK:
    - TA0003:T1098.001  # Additional Cloud Credentials
    - TA0004:T1078.004  # Cloud Accounts
DedupPeriodMinutes: 60
SummaryAttributes:
  - eventName
  - userIdentity:principalId
  - requestParameters:dBInstanceIdentifier
  - requestParameters:dBClusterIdentifier
  - requestParameters:roleArn
  - p_any_aws_account_ids
Threshold: 1
Tests:
  - Name: Role Added to DB Instance
    ExpectedResult: true
    Log:
      eventVersion: "1.08"
      userIdentity:
        type: AssumedRole
        principalId: "AIDAI23HXS3EXAMPLE:user"
        arn: "arn:aws:sts::123456789012:assumed-role/DBARole/user"
        accountId: "123456789012"
        accessKeyId: "ASIAIOSFODNN7EXAMPLE"
      eventTime: "2024-01-17T13:00:00Z"
      eventSource: rds.amazonaws.com
      eventName: AddRoleToDBInstance
      awsRegion: us-east-1
      sourceIPAddress: "10.0.1.100"
      userAgent: "aws-cli/2.13.0"
      requestParameters:
        dBInstanceIdentifier: "production-postgres"
        roleArn: "arn:aws:iam::123456789012:role/RDS-S3-Import-Role"
        featureName: "s3Import"
      responseElements:
        dBInstanceIdentifier: "production-postgres"
        associatedRoles:
          - roleArn: "arn:aws:iam::123456789012:role/RDS-S3-Import-Role"
            featureName: "s3Import"
            status: "PENDING"
      requestID: "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
      eventID: "f1e2d3c4-b5a6-7890-1234-567890abcdef"
      readOnly: false
      eventType: AwsApiCall
      managementEvent: true
      recipientAccountId: "123456789012"
      eventCategory: Management

  - Name: Role Added to DB Cluster
    ExpectedResult: true
    Log:
      eventVersion: "1.08"
      userIdentity:
        type: IAMUser
        principalId: "AIDAI23HXS3EXAMPLE"
        arn: "arn:aws:iam::123456789012:user/developer"
        accountId: "123456789012"
        accessKeyId: "AKIAIOSFODNN7EXAMPLE"
        userName: developer
      eventTime: "2024-01-17T13:00:00Z"
      eventSource: rds.amazonaws.com
      eventName: AddRoleToDBCluster
      awsRegion: us-west-2
      sourceIPAddress: "203.0.113.75"
      userAgent: "Boto3/1.26.0"
      requestParameters:
        dBClusterIdentifier: "aurora-cluster-prod"
        roleArn: "arn:aws:iam::123456789012:role/RDS-Lambda-Access"
        featureName: "Lambda"
      responseElements:
        dBClusterIdentifier: "aurora-cluster-prod"
        associatedRoles:
          - roleArn: "arn:aws:iam::123456789012:role/RDS-Lambda-Access"
            featureName: "Lambda"
            status: "PENDING"
      requestID: "b2c3d4e5-f6a7-8901-bcde-f1234567890a"
      eventID: "g2f3e4d5-c6b7-8901-2345-678901bcdefg"
      readOnly: false
      eventType: AwsApiCall
      managementEvent: true
      recipientAccountId: "123456789012"
      eventCategory: Management

  - Name: Role Addition Failed
    ExpectedResult: false
    Log:
      eventVersion: "1.08"
      userIdentity:
        type: IAMUser
        principalId: "AIDAI23HXS3EXAMPLE"
        arn: "arn:aws:iam::123456789012:user/contractor"
        accountId: "123456789012"
        accessKeyId: "AKIAIOSFODNN7EXAMPLE"
        userName: contractor
      eventTime: "2024-01-17T13:00:00Z"
      eventSource: rds.amazonaws.com
      eventName: AddRoleToDBInstance
      awsRegion: us-east-1
      sourceIPAddress: "198.51.100.50"
      userAgent: "aws-cli/2.13.0"
      requestParameters:
        dBInstanceIdentifier: "production-db"
        roleArn: "arn:aws:iam::123456789012:role/Admin-Role"
      errorCode: AccessDenied
      errorMessage: "User is not authorized to perform: rds:AddRoleToDBInstance"
      requestID: "c3d4e5f6-a7b8-9012-cdef-1234567890ab"
      eventID: "h3g4f5e6-d7c8-9012-3456-789012cdefgh"
      readOnly: false
      eventType: AwsApiCall
      managementEvent: true
      recipientAccountId: "123456789012"
      eventCategory: Management

  - Name: Different RDS Event
    ExpectedResult: false
    Log:
      eventVersion: "1.08"
      userIdentity:
        type: AssumedRole
        principalId: "AIDAI23HXS3EXAMPLE:user"
        arn: "arn:aws:sts::123456789012:assumed-role/Admin/user"
        accountId: "123456789012"
      eventTime: "2024-01-17T13:00:00Z"
      eventSource: rds.amazonaws.com
      eventName: RemoveRoleFromDBInstance
      awsRegion: us-east-1
      sourceIPAddress: "10.0.1.100"
      requestParameters:
        dBInstanceIdentifier: "production-db"
        roleArn: "arn:aws:iam::123456789012:role/OldRole"
      requestID: "d4e5f6a7-b8c9-0123-def0-1234567890bc"
      eventID: "i4h5g6f7-e8d9-0123-4567-890123defghi"
      readOnly: false
      eventType: AwsApiCall
      managementEvent: true
      recipientAccountId: "123456789012"
      eventCategory: Management

Detection logic

Condition

eventSource eq "rds.amazonaws.com"
eventName in ["AddRoleToDBInstance", "AddRoleToDBCluster"]
errorCode is_null

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
errorCodeis_null
  • (no value, null check)
eventNamein
  • AddRoleToDBCluster
  • AddRoleToDBInstance
eventSourceeq
  • rds.amazonaws.com

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
eventName
eventSource
awsRegion
recipientAccountId
sourceIPAddress
userAgent
userIdentity
dBInstanceIdentifierrequestParameters.dBInstanceIdentifier
roleArnrequestParameters.roleArn
userNameuserIdentity.userName