AWS RDS Master Password Change
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
|---|---|---|---|---|
AWS RDS Master Password Change | Standard | AWS CloudTrail | Credential Access: Credentials from Password Stores: Credentials from Web Browsers (T1555.003) | Critical |
About the rule
Rule Type
Standard
Rule Description
Detects a change to the master user password for an Amazon RDS (Relational Database Service) instance. While this can be a routine administrative task, unauthorized changes are a major red flag, often indicating an attacker is attempting to lock out legitimate admins or gain full access to the database contents.
Why this rule?
Unauthorized changes to RDS master passwords indicate potential database compromise or insider threat activity. This action could lock out legitimate administrators while granting attackers exclusive database access. Monitoring master password changes is critical for maintaining database security and detecting unauthorized administrative actions.
Severity
Critical
Rule journey
Attack chain scenario
Initial Access → Privilege Escalation → Persistence/Impact → Modify DB Instance → Master Password Change → Database Exfiltration or Ransom.
Impact
Loss of control over critical database assets. An attacker can change the password to steal data, delete the database, or hold the information for ransom, leading to significant data loss and operational downtime.
Rule Requirement
Prerequisites
Ensure AWS CloudTrail is logging management events, specifically the ModifyDBInstance API call with the MasterUserPassword parameter.
Criteria
Action1:
actionname = "Failed logon"
| timewindow 4m
| groupby CALLER having DCOUNT(IPADDRESS) > 2
select Action1.timewindow.CALLER,Action1.timewindow.SOURCE,Action1.timewindow.LOG_EVENT_NAME,Action1.timewindow.IPADDRESS,Action1.timewindow.ERRORMESSAGE,Action1.timewindow.LOGINTO,Action1.timewindow.SOURCE_REGION,Action1.timewindow.USERAGENT,Action1.timewindow.ACCOUNTID
Detection
Execution Mode
realtime
Log Sources
AWS
MITRE ATT&CK
Credentials from Password Stores: Credentials from Web Browsers (T1555.003)
Future actions
Known False Positives
Scheduled credential rotation by authorized database administrators or automated security workflows (e.g., AWS Secrets Manager rotations).
Next Steps
- Identification: Identify the IAM user or role that performed the ModifyDBInstance action.
- Analysis: Cross-reference the action with approved change management tickets.
- Response: If unauthorized, immediately revert the password through a secure channel, audit the database for unauthorized queries, and revoke the credentials of the IAM entity that made the change.
Mitigation
ID | Mitigation | Description |
|---|---|---|
Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers. | ||
Restrict or block web-based content that could be used to extract session cookies or credentials stored in browsers. Use browser security settings, such as disabling third-party cookies and restricting browser extensions, to limit the attack surface. | ||
Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. | ||
Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access. | ||
Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials. |
