Detection rules › Panther
AWS RDS Instance Snapshot Public Access
This policy validates that RDS Instance snapshots are not publicly restorable. This would allow anyone to restore an old version of your database and have full access to its contents.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Exfiltration | T1567 Exfiltration Over Web Service |
Rule body yaml
AnalysisType: policy
Filename: aws_rds_instance_snapshot_public_access.py
PolicyID: "AWS.RDS.Instance.SnapshotPublicAccess"
DisplayName: "AWS RDS Instance Snapshot Public Access"
Enabled: true
ResourceTypes:
- AWS.RDS.Instance
Tags:
- AWS
- Data Protection
- Exfiltration:Exfiltration Over Web Service
Reports:
MITRE ATT&CK:
- TA0010:T1567
Severity: Critical
Description: >
This policy validates that RDS Instance snapshots are not publicly restorable. This would allow anyone to restore an old version of your database and have full access to its contents.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-rds-instance-snapshots-are-not-publicly-accessible
Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html
Tests:
- Name: Instance Has No Snapshots
ExpectedResult: true
Resource:
{
"AllocatedStorage": 20,
"AssociatedRoles": null,
"AutoMinorVersionUpgrade": true,
"AvailabilityZone": "us-west-2a",
"BackupRetentionPeriod": 7,
"CACertificateIdentifier": "rds-ca-2015",
"CharacterSetName": null,
"CopyTagsToSnapshot": false,
"DBClusterIdentifier": null,
"DBInstanceArn": "arn:aws:rds:us-west-2:123456789012:db:example-instance",
"DBInstanceClass": "db.m4.xlarge",
"DBInstanceIdentifier": "example-instance",
"DBInstanceStatus": "available",
"DBName": "db_1",
"DBParameterGroups":
[
{
"DBParameterGroupName": "default.mysql5.7",
"ParameterApplyStatus": "in-sync",
},
],
"DBSecurityGroups": null,
"DBSubnetGroup":
{
"DBSubnetGroupArn": null,
"DBSubnetGroupDescription": "default",
"DBSubnetGroupName": "default",
"SubnetGroupStatus": "Complete",
"Subnets":
[
{
"SubnetAvailabilityZone": { "Name": "us-west-2b" },
"SubnetIdentifier": "subnet-111222333",
"SubnetStatus": "Active",
},
{
"SubnetAvailabilityZone": { "Name": "us-west-2d" },
"SubnetIdentifier": "subnet-444555666",
"SubnetStatus": "Active",
},
],
"VpcId": "vpc-111222333",
},
"DbInstancePort": 0,
"DbiResourceId": "db-ABCDEFGHIJKLMNOP",
"DeletionProtection": false,
"DomainMemberships": null,
"EnabledCloudwatchLogsExports": null,
"Endpoint":
{
"Address": "example-instance.abcdefghijkl.us-west-2.rds.amazonaws.com",
"HostedZoneId": "ABCDEF1234",
"Port": 3306,
},
"Engine": "mysql",
"EngineVersion": "5.7.22",
"EnhancedMonitoringResourceArn": null,
"IAMDatabaseAuthenticationEnabled": false,
"InstanceCreateTime": "2019-01-01T00:00:00.000Z",
"Iops": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"LatestRestorableTime": "2019-01-01T00:00:00Z",
"LicenseModel": "general-public-license",
"ListenerEndpoint": null,
"MasterUsername": "superuser",
"MaxAllocatedStorage": null,
"MonitoringInterval": 0,
"MonitoringRoleArn": null,
"MultiAZ": false,
"OptionGroupMemberships":
[{ "OptionGroupName": "default:mysql-5-7", "Status": "in-sync" }],
"PendingModifiedValues":
{
"AllocatedStorage": null,
"BackupRetentionPeriod": null,
"CACertificateIdentifier": null,
"DBInstanceClass": null,
"DBInstanceIdentifier": null,
"DBSubnetGroupName": null,
"EngineVersion": null,
"Iops": null,
"LicenseModel": null,
"MasterUserPassword": null,
"MultiAZ": null,
"PendingCloudwatchLogsExports": null,
"Port": null,
"ProcessorFeatures": null,
"StorageType": null,
},
"PerformanceInsightsEnabled": false,
"PerformanceInsightsKMSKeyId": null,
"PerformanceInsightsRetentionPeriod": null,
"PreferredBackupWindow": "07:31-08:01",
"PreferredMaintenanceWindow": "thu:12:02-thu:12:32",
"ProcessorFeatures": null,
"PromotionTier": null,
"PubliclyAccessible": true,
"ReadReplicaDBClusterIdentifiers": null,
"ReadReplicaDBInstanceIdentifiers": null,
"ReadReplicaSourceDBInstanceIdentifier": null,
"SecondaryAvailabilityZone": null,
"SnapshotAttributes": null,
"StatusInfos": null,
"StorageEncrypted": true,
"StorageType": "gp2",
"TdeCredentialArn": null,
"Timezone": null,
"VpcSecurityGroups":
[{ "Status": "active", "VpcSecurityGroupId": "sg-112233" }],
}
- Name: Instance Snapshot Can Be Returned By All
ExpectedResult: false
Resource:
{
"AllocatedStorage": 20,
"AssociatedRoles": null,
"AutoMinorVersionUpgrade": true,
"AvailabilityZone": "us-west-2a",
"BackupRetentionPeriod": 7,
"CACertificateIdentifier": "rds-ca-2015",
"CharacterSetName": null,
"CopyTagsToSnapshot": false,
"DBClusterIdentifier": null,
"DBInstanceArn": "arn:aws:rds:us-west-2:123456789012:db:example-instance",
"DBInstanceClass": "db.m4.xlarge",
"DBInstanceIdentifier": "example-instance",
"DBInstanceStatus": "available",
"DBName": "db_1",
"DBParameterGroups":
[
{
"DBParameterGroupName": "default.mysql5.7",
"ParameterApplyStatus": "in-sync",
},
],
"DBSecurityGroups": null,
"DBSubnetGroup":
{
"DBSubnetGroupArn": null,
"DBSubnetGroupDescription": "default",
"DBSubnetGroupName": "default",
"SubnetGroupStatus": "Complete",
"Subnets":
[
{
"SubnetAvailabilityZone": { "Name": "us-west-2b" },
"SubnetIdentifier": "subnet-111222333",
"SubnetStatus": "Active",
},
{
"SubnetAvailabilityZone": { "Name": "us-west-2d" },
"SubnetIdentifier": "subnet-444555666",
"SubnetStatus": "Active",
},
],
"VpcId": "vpc-111222333",
},
"DbInstancePort": 0,
"DbiResourceId": "db-ABCDEFGHIJKLMNOP",
"DeletionProtection": false,
"DomainMemberships": null,
"EnabledCloudwatchLogsExports": null,
"Endpoint":
{
"Address": "example-instance.abcdefghijkl.us-west-2.rds.amazonaws.com",
"HostedZoneId": "ABCDEF1234",
"Port": 3306,
},
"Engine": "mysql",
"EngineVersion": "5.7.22",
"EnhancedMonitoringResourceArn": null,
"IAMDatabaseAuthenticationEnabled": false,
"InstanceCreateTime": "2019-01-01T00:00:00.000Z",
"Iops": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"LatestRestorableTime": "2019-01-01T00:00:00Z",
"LicenseModel": "general-public-license",
"ListenerEndpoint": null,
"MasterUsername": "superuser",
"MaxAllocatedStorage": null,
"MonitoringInterval": 0,
"MonitoringRoleArn": null,
"MultiAZ": false,
"OptionGroupMemberships":
[{ "OptionGroupName": "default:mysql-5-7", "Status": "in-sync" }],
"PendingModifiedValues":
{
"AllocatedStorage": null,
"BackupRetentionPeriod": null,
"CACertificateIdentifier": null,
"DBInstanceClass": null,
"DBInstanceIdentifier": null,
"DBSubnetGroupName": null,
"EngineVersion": null,
"Iops": null,
"LicenseModel": null,
"MasterUserPassword": null,
"MultiAZ": null,
"PendingCloudwatchLogsExports": null,
"Port": null,
"ProcessorFeatures": null,
"StorageType": null,
},
"PerformanceInsightsEnabled": false,
"PerformanceInsightsKMSKeyId": null,
"PerformanceInsightsRetentionPeriod": null,
"PreferredBackupWindow": "07:31-08:01",
"PreferredMaintenanceWindow": "thu:12:02-thu:12:32",
"ProcessorFeatures": null,
"PromotionTier": null,
"PubliclyAccessible": true,
"ReadReplicaDBClusterIdentifiers": null,
"ReadReplicaDBInstanceIdentifiers": null,
"ReadReplicaSourceDBInstanceIdentifier": null,
"SecondaryAvailabilityZone": null,
"SnapshotAttributes":
[
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-01-07-36",
},
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": "all" }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-08-07-36",
},
],
"StatusInfos": null,
"StorageEncrypted": true,
"StorageType": "gp2",
"TdeCredentialArn": null,
"Timezone": null,
"VpcSecurityGroups":
[{ "Status": "active", "VpcSecurityGroupId": "sg-112233" }],
}
- Name: Instance Snapshot Can Be Returned By All In List
ExpectedResult: false
Resource:
{
"AllocatedStorage": 20,
"AssociatedRoles": null,
"AutoMinorVersionUpgrade": true,
"AvailabilityZone": "us-west-2a",
"BackupRetentionPeriod": 7,
"CACertificateIdentifier": "rds-ca-2015",
"CharacterSetName": null,
"CopyTagsToSnapshot": false,
"DBClusterIdentifier": null,
"DBInstanceArn": "arn:aws:rds:us-west-2:123456789012:db:example-instance",
"DBInstanceClass": "db.m4.xlarge",
"DBInstanceIdentifier": "example-instance",
"DBInstanceStatus": "available",
"DBName": "db_1",
"DBParameterGroups":
[
{
"DBParameterGroupName": "default.mysql5.7",
"ParameterApplyStatus": "in-sync",
},
],
"DBSecurityGroups": null,
"DBSubnetGroup":
{
"DBSubnetGroupArn": null,
"DBSubnetGroupDescription": "default",
"DBSubnetGroupName": "default",
"SubnetGroupStatus": "Complete",
"Subnets":
[
{
"SubnetAvailabilityZone": { "Name": "us-west-2b" },
"SubnetIdentifier": "subnet-111222333",
"SubnetStatus": "Active",
},
{
"SubnetAvailabilityZone": { "Name": "us-west-2d" },
"SubnetIdentifier": "subnet-444555666",
"SubnetStatus": "Active",
},
],
"VpcId": "vpc-111222333",
},
"DbInstancePort": 0,
"DbiResourceId": "db-ABCDEFGHIJKLMNOP",
"DeletionProtection": false,
"DomainMemberships": null,
"EnabledCloudwatchLogsExports": null,
"Endpoint":
{
"Address": "example-instance.abcdefghijkl.us-west-2.rds.amazonaws.com",
"HostedZoneId": "ABCDEF1234",
"Port": 3306,
},
"Engine": "mysql",
"EngineVersion": "5.7.22",
"EnhancedMonitoringResourceArn": null,
"IAMDatabaseAuthenticationEnabled": false,
"InstanceCreateTime": "2019-01-01T00:00:00.000Z",
"Iops": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"LatestRestorableTime": "2019-01-01T00:00:00Z",
"LicenseModel": "general-public-license",
"ListenerEndpoint": null,
"MasterUsername": "superuser",
"MaxAllocatedStorage": null,
"MonitoringInterval": 0,
"MonitoringRoleArn": null,
"MultiAZ": false,
"OptionGroupMemberships":
[{ "OptionGroupName": "default:mysql-5-7", "Status": "in-sync" }],
"PendingModifiedValues":
{
"AllocatedStorage": null,
"BackupRetentionPeriod": null,
"CACertificateIdentifier": null,
"DBInstanceClass": null,
"DBInstanceIdentifier": null,
"DBSubnetGroupName": null,
"EngineVersion": null,
"Iops": null,
"LicenseModel": null,
"MasterUserPassword": null,
"MultiAZ": null,
"PendingCloudwatchLogsExports": null,
"Port": null,
"ProcessorFeatures": null,
"StorageType": null,
},
"PerformanceInsightsEnabled": false,
"PerformanceInsightsKMSKeyId": null,
"PerformanceInsightsRetentionPeriod": null,
"PreferredBackupWindow": "07:31-08:01",
"PreferredMaintenanceWindow": "thu:12:02-thu:12:32",
"ProcessorFeatures": null,
"PromotionTier": null,
"PubliclyAccessible": true,
"ReadReplicaDBClusterIdentifiers": null,
"ReadReplicaDBInstanceIdentifiers": null,
"ReadReplicaSourceDBInstanceIdentifier": null,
"SecondaryAvailabilityZone": null,
"SnapshotAttributes":
[
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-01-07-36",
},
{
"DBSnapshotAttributes":
[
{
"AttributeName": "restore",
"AttributeValues": ["some", "all"],
},
],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-08-07-36",
},
],
"StatusInfos": null,
"StorageEncrypted": true,
"StorageType": "gp2",
"TdeCredentialArn": null,
"Timezone": null,
"VpcSecurityGroups":
[{ "Status": "active", "VpcSecurityGroupId": "sg-112233" }],
}
- Name: Instance Snapshot Can Be Returned By Some
ExpectedResult: true
Resource:
{
"AllocatedStorage": 20,
"AssociatedRoles": null,
"AutoMinorVersionUpgrade": true,
"AvailabilityZone": "us-west-2a",
"BackupRetentionPeriod": 7,
"CACertificateIdentifier": "rds-ca-2015",
"CharacterSetName": null,
"CopyTagsToSnapshot": false,
"DBClusterIdentifier": null,
"DBInstanceArn": "arn:aws:rds:us-west-2:123456789012:db:example-instance",
"DBInstanceClass": "db.m4.xlarge",
"DBInstanceIdentifier": "example-instance",
"DBInstanceStatus": "available",
"DBName": "db_1",
"DBParameterGroups":
[
{
"DBParameterGroupName": "default.mysql5.7",
"ParameterApplyStatus": "in-sync",
},
],
"DBSecurityGroups": null,
"DBSubnetGroup":
{
"DBSubnetGroupArn": null,
"DBSubnetGroupDescription": "default",
"DBSubnetGroupName": "default",
"SubnetGroupStatus": "Complete",
"Subnets":
[
{
"SubnetAvailabilityZone": { "Name": "us-west-2b" },
"SubnetIdentifier": "subnet-111222333",
"SubnetStatus": "Active",
},
{
"SubnetAvailabilityZone": { "Name": "us-west-2d" },
"SubnetIdentifier": "subnet-444555666",
"SubnetStatus": "Active",
},
],
"VpcId": "vpc-111222333",
},
"DbInstancePort": 0,
"DbiResourceId": "db-ABCDEFGHIJKLMNOP",
"DeletionProtection": false,
"DomainMemberships": null,
"EnabledCloudwatchLogsExports": null,
"Endpoint":
{
"Address": "example-instance.abcdefghijkl.us-west-2.rds.amazonaws.com",
"HostedZoneId": "ABCDEF1234",
"Port": 3306,
},
"Engine": "mysql",
"EngineVersion": "5.7.22",
"EnhancedMonitoringResourceArn": null,
"IAMDatabaseAuthenticationEnabled": false,
"InstanceCreateTime": "2019-01-01T00:00:00.000Z",
"Iops": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"LatestRestorableTime": "2019-01-01T00:00:00Z",
"LicenseModel": "general-public-license",
"ListenerEndpoint": null,
"MasterUsername": "superuser",
"MaxAllocatedStorage": null,
"MonitoringInterval": 0,
"MonitoringRoleArn": null,
"MultiAZ": false,
"OptionGroupMemberships":
[{ "OptionGroupName": "default:mysql-5-7", "Status": "in-sync" }],
"PendingModifiedValues":
{
"AllocatedStorage": null,
"BackupRetentionPeriod": null,
"CACertificateIdentifier": null,
"DBInstanceClass": null,
"DBInstanceIdentifier": null,
"DBSubnetGroupName": null,
"EngineVersion": null,
"Iops": null,
"LicenseModel": null,
"MasterUserPassword": null,
"MultiAZ": null,
"PendingCloudwatchLogsExports": null,
"Port": null,
"ProcessorFeatures": null,
"StorageType": null,
},
"PerformanceInsightsEnabled": false,
"PerformanceInsightsKMSKeyId": null,
"PerformanceInsightsRetentionPeriod": null,
"PreferredBackupWindow": "07:31-08:01",
"PreferredMaintenanceWindow": "thu:12:02-thu:12:32",
"ProcessorFeatures": null,
"PromotionTier": null,
"PubliclyAccessible": true,
"ReadReplicaDBClusterIdentifiers": null,
"ReadReplicaDBInstanceIdentifiers": null,
"ReadReplicaSourceDBInstanceIdentifier": null,
"SecondaryAvailabilityZone": null,
"SnapshotAttributes":
[
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-01-07-36",
},
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": "some" }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-08-07-36",
},
],
"StatusInfos": null,
"StorageEncrypted": true,
"StorageType": "gp2",
"TdeCredentialArn": null,
"Timezone": null,
"VpcSecurityGroups":
[{ "Status": "active", "VpcSecurityGroupId": "sg-112233" }],
}
- Name: Instance Snapshot Cannot Be Restored By All
ExpectedResult: true
Resource:
{
"AllocatedStorage": 20,
"AssociatedRoles": null,
"AutoMinorVersionUpgrade": true,
"AvailabilityZone": "us-west-2a",
"BackupRetentionPeriod": 7,
"CACertificateIdentifier": "rds-ca-2015",
"CharacterSetName": null,
"CopyTagsToSnapshot": false,
"DBClusterIdentifier": null,
"DBInstanceArn": "arn:aws:rds:us-west-2:123456789012:db:example-instance",
"DBInstanceClass": "db.m4.xlarge",
"DBInstanceIdentifier": "example-instance",
"DBInstanceStatus": "available",
"DBName": "db_1",
"DBParameterGroups":
[
{
"DBParameterGroupName": "default.mysql5.7",
"ParameterApplyStatus": "in-sync",
},
],
"DBSecurityGroups": null,
"DBSubnetGroup":
{
"DBSubnetGroupArn": null,
"DBSubnetGroupDescription": "default",
"DBSubnetGroupName": "default",
"SubnetGroupStatus": "Complete",
"Subnets":
[
{
"SubnetAvailabilityZone": { "Name": "us-west-2b" },
"SubnetIdentifier": "subnet-111222333",
"SubnetStatus": "Active",
},
{
"SubnetAvailabilityZone": { "Name": "us-west-2d" },
"SubnetIdentifier": "subnet-444555666",
"SubnetStatus": "Active",
},
],
"VpcId": "vpc-111222333",
},
"DbInstancePort": 0,
"DbiResourceId": "db-ABCDEFGHIJKLMNOP",
"DeletionProtection": false,
"DomainMemberships": null,
"EnabledCloudwatchLogsExports": null,
"Endpoint":
{
"Address": "example-instance.abcdefghijkl.us-west-2.rds.amazonaws.com",
"HostedZoneId": "ABCDEF1234",
"Port": 3306,
},
"Engine": "mysql",
"EngineVersion": "5.7.22",
"EnhancedMonitoringResourceArn": null,
"IAMDatabaseAuthenticationEnabled": false,
"InstanceCreateTime": "2019-01-01T00:00:00.000Z",
"Iops": null,
"KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/111222333",
"LatestRestorableTime": "2019-01-01T00:00:00Z",
"LicenseModel": "general-public-license",
"ListenerEndpoint": null,
"MasterUsername": "superuser",
"MaxAllocatedStorage": null,
"MonitoringInterval": 0,
"MonitoringRoleArn": null,
"MultiAZ": false,
"OptionGroupMemberships":
[{ "OptionGroupName": "default:mysql-5-7", "Status": "in-sync" }],
"PendingModifiedValues":
{
"AllocatedStorage": null,
"BackupRetentionPeriod": null,
"CACertificateIdentifier": null,
"DBInstanceClass": null,
"DBInstanceIdentifier": null,
"DBSubnetGroupName": null,
"EngineVersion": null,
"Iops": null,
"LicenseModel": null,
"MasterUserPassword": null,
"MultiAZ": null,
"PendingCloudwatchLogsExports": null,
"Port": null,
"ProcessorFeatures": null,
"StorageType": null,
},
"PerformanceInsightsEnabled": false,
"PerformanceInsightsKMSKeyId": null,
"PerformanceInsightsRetentionPeriod": null,
"PreferredBackupWindow": "07:31-08:01",
"PreferredMaintenanceWindow": "thu:12:02-thu:12:32",
"ProcessorFeatures": null,
"PromotionTier": null,
"PubliclyAccessible": true,
"ReadReplicaDBClusterIdentifiers": null,
"ReadReplicaDBInstanceIdentifiers": null,
"ReadReplicaSourceDBInstanceIdentifier": null,
"SecondaryAvailabilityZone": null,
"SnapshotAttributes":
[
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-01-07-36",
},
{
"DBSnapshotAttributes":
[{ "AttributeName": "restore", "AttributeValues": null }],
"DBSnapshotIdentifier": "rds:example-instance-2019-01-08-07-36",
},
],
"StatusInfos": null,
"StorageEncrypted": true,
"StorageType": "gp2",
"TdeCredentialArn": null,
"Timezone": null,
"VpcSecurityGroups":
[{ "Status": "active", "VpcSecurityGroupId": "sg-112233" }],
}
Detection logic
Condition
SnapshotAttributes not is_null
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
SnapshotAttributes | is_null |