GuardDuty RDS Protection finding types - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

GuardDuty RDS Protection finding types

GuardDuty RDS Protection is in preview release. Your use of the RDS Protection feature is subject to Section 2 of the Amazon Service Terms ("Betas and Previews").

GuardDuty RDS Protection detects anomalous login behavior on your database instance. The following findings are specific to the Supported Amazon Aurora databases and will have a Resource Type of RDSDBInstance. The severity and details of the findings will differ based on the finding type.

CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin

A user successfully logged in to an RDS database in an anomalous way.

Default severity: Medium

  • Data source: RDS login activity monitoring

This finding informs you that an anomalous successful login was observed on an RDS database in your Amazon environment. This indicates that a role on your RDS database may have been compromised and has been accessed by a potential malicious actor.

This successful login was identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all database login events in your Supported Amazon Aurora databases and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the RDS login activity such as the user that made the request, the location the request was made from, and the specific database connection details that were used. For information about the login events that are potentially unusual, see RDS login activity-based anomalies.

Remediation recommendations:

If this activity is unexpected for the associated database, it may indicate that the credentials have been exposed or compromised. It is recommended to change the password of the associated database role and review available audit logs for activity performed by the compromised user. For more information, see Remediating a compromised database instance.

CredentialAccess:RDS/AnomalousBehavior.FailedLogin

One or more unusual failed login attempts were observed on an RDS database.

Default severity: Low

  • Data source: RDS login activity monitoring

This finding informs you that one or more anomalous failed logins were observed on an RDS database in your Amazon environment. This indicates that your RDS database may have been subject to an attempted brute-force attack by a potential malicious actor.

These failed logins were identified as anomalous by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all database login events in your Supported Amazon Aurora databases and identifies anomalous events that are associated with techniques used by adversaries. The ML model tracks various factors of the RDS login activity such as the user that made the request, the location the request was made from, and the specific database connection details that were used. For information about the RDS login activity that are potentially unusual, see RDS login activity-based anomalies.

Remediation recommendations:

If this activity is unexpected for the associated database, it may indicate that the database is publicly exposed or there is an overly permissive access policy to the database. It is recommended to place the database in a private VPC and limit the security group rules to allow traffic from necessary sources. For more information, see Remediating a compromised database instance.