Remediating a compromised database instance - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Remediating a compromised database instance

GuardDuty RDS Protection is in preview release. Your use of the RDS Protection feature is subject to Section 2 of the Amazon Service Terms ("Betas and Previews").

GuardDuty generates RDS Protection finding types that indicate potentially suspicious and anomalous login behavior in your Supported databases after you enable GuardDuty RDS Protection. Using RDS login activity, GuardDuty analyzes and profiles threats by identifying unusual patterns in login attempts.

Note

You can access the full information about a finding type by selecting it from the Findings table.

Follow these recommended steps to remediate a potentially compromised Amazon Aurora database instance in your Amazon environment.

Potentially compromised database with successful login events

The following recommended steps can help you remediate a potentially compromised Aurora database instance that exhibits unusual behavior related to successful login events.

  1. Identify the affected database and user.

    The generated GuardDuty finding provides the name of the affected database instance and the corresponding user details. For more information, see Finding details.

  2. Confirm whether this behavior is expected or unexpected.

    The following list specifies potential scenarios that may have caused GuardDuty to generate a finding:

    • A user who logs in to their database instance after a long time has passed.

    • A user who logs in to their database instance on an occasional basis, for example, a financial analyst who logs in each quarter.

    • A potentially suspicious actor who is involved in a successful login attempt potentially compromises the database instance.

  3. Begin this step if the behavior is unexpected.

    1. Restrict database instance access

      Restrict database instance access for the suspected accounts and the source of this login activity. For more information, see Potentially compromised credentials and Restrict network access.

    2. Assess the impact and determine what information was accessed.

Potentially compromised database with failed login events

The following recommended steps can help you remediate a potentially compromised Aurora database instance that exhibits unusual behavior related to failed login events.

  1. Identify the affected database and user.

    The generated GuardDuty finding provides the name of the affected database instance and the corresponding user details. For more information, see Finding details.

  2. Identify the source of the failed login attempts.

    The generated GuardDuty finding provides the IP address and ASN organization (if it was a public connection) under the Actor section of the finding panel.

    An Autonomous System (AS) is a group of one or more IP prefixes (lists of IP addresses accessible on a network) run by one or more network operators that maintain a single, clearly-defined routing policy. Network operators need Autonomous System Numbers (ASNs) to control routing within their networks and to exchange routing information with other internet service providers (ISPs).

  3. Confirm that this behavior is unexpected.

    Examine if this activity represents an attempt to gain additional unauthorized access to the database instance as follows:

    • If the source is internal, examine if an application is misconfigured and attempting a connection repeatedly.

    • If this is an external actor, examine whether the corresponding database instance is public facing or is misconfigured and thus allowing potential malicious actors to brute force common user names.

  4. Begin this step if the behavior is unexpected.

    1. Restrict database instance access

      Restrict database instance access for the suspected accounts and the source of this login activity. For more information, see Potentially compromised credentials and Restrict network access.

    2. Perform root-cause analysis and determine the steps that potentially led to this activity.

      Set up an alert to get notified when an activity modifies a networking policy and creates an insecure state. For more information, see Firewall policies in Amazon Network Firewall in the Amazon Network Firewall Developer Guide.

Potentially compromised credentials

A GuardDuty finding may indicate that the user credentials for an affected database have been compromised when the user identified in the finding has performed an unexpected database operation. You can identify the user in the RDS DB user details section within the finding panel in the console, or within the resource.rdsDbUserDetails of the findings JSON. These user details include user name, application used, database accessed, SSL version, and authentication method.

Restrict network access

A GuardDuty finding may indicate that a database instance is accessible beyond your applications, or Virtual Private Cloud (VPC). If the remote IP address in the finding is an unexpected connection source, audit the security groups. A list of security groups attached to the database instance is available under Security groups in the https://console.amazonaws.cn/rds/ console, or in the resource.rdsDbInstanceDetails.dbSecurityGroups of the findings JSON. For more information on configuring security groups, see Controlling access with security groups in the Amazon RDS User Guide.

If you're using a firewall, restrict network access to the database by reconfiguring the Network Access Control Lists (NACLs). For more information, see Firewalls in Amazon Network Firewall in the Amazon Network Firewall Developer Guide.