- Utilize AWS RDS Data API for secure database access and operations
- CloudTrail for auditing and activity monitoring
- Investigating incidents and preventing unauthorized access
- PostgreSQL Auditing (pgAudit) extension
2. AWS Community
Key Takeaway
- Utilize AWS RDS Data API for secure database access and operations
- CloudTrail for auditing and activity monitoring
- Investigating incidents and preventing unauthorized access
- PostgreSQL Auditing (pgAudit) extension
6. AWS Community
Who did that?
-- Initial intended transfer
INSERT INTO transactions (from_account, to_account, amount, date)
VALUES ('12345', '67890', 100, '2024-02-12');
-- Attacker's transfer
INSERT INTO transactions (from_account, to_account, amount, date)
VALUES ('67890', 'attacker_account', 100, '2024-02-12');
-- Obscure the transaction
UPDATE transactions
SET from_account = 'unknown', to_account = 'unknown'
WHERE id = (SELECT MAX(id) FROM transactions);
-- Drop the audit_logs table
DROP TABLE audit_logs;
7. AWS Community
PostgreSQL Auditing (pgAudit) extension
More info:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.pgaudit.html
8. AWS Community
Database Logs. Notifications
...
2024-02-12 19:09:49 UTC:...:john_doe@postgres:[11701]:LOG: AUDIT:
OBJECT,1,1,READ,UPDATE,TABLE,public.transactions,UPDATE transactions SET
amount = amount - 100 WHERE from_account = '12345' AND to_account = '54321';
...
More info:
https://aws.amazon.com/blogs/database/build-proactive-database-monitoring-for-amazon-rds-with-amazon-cloudwatch
-logs-aws-lambda-and-amazon-sns/
10. AWS Community
"Action": ["rds-db:connect"],
"Resource":
["arn:aws:rds-db:us-west-2:1234567890:db:db-ABCDEFGHIJKL01234/john_doe"]
CREATE USER john_doe;
GRANT rds_iam TO john_doe;
export RDSHOST="db.1234567890.us-west-2.rds.amazonaws.com"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname
$RDSHOST --port 5432 --region us-west-2 --username john_doe )"
IAM database authentication
More info:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
11. AWS Community
AWS Session Manager and Bastion Hosts
More info:
https://aws.amazon.com/blogs/mt/implementing-aws-session-manager-logging-guardrails-in-a-multi-account-environme
nt/
12. AWS Community
AWS RDS Proxy for IAM authentication
More info:
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy.html
13. AWS Community
Turn on the Enhanced Logging feature of RDS Proxy. Logging gives detailed
information about the SQL statements. These logs are a useful resource to help
you understand certain authentication issues. Because this adds to performance
overhead, it's a best practice to turn them on only for debugging. To minimize
overhead, RDS Proxy automatically turns this setting off 24 hours after you turn it
on.
RDS Proxy limitations
More info: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy-setup.html
15. AWS Community
AWS RDS Data API Use Cases
More info:
https://aws.amazon.com/blogs/database/using-the-data-api-to-interact-with-an-amazon-aurora-serverless-mysql-databa
se/
16. AWS Community
Query Editor for Amazon Aurora
More info: https://aws.amazon.com/blogs/database/using-the-data-api-to-interact-with-an-amazon-aurora-serverless-mysql-database/
17. AWS Community
Logging RDS Data API calls with AWS CloudTrail
More info: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/logging-using-cloudtrail-data-api.html
"userIdentity": {
"arn": "arn:aws:iam::123456789012:user/johndoe"
},
"eventTime": "2024-02-14T00:49:34Z",
"eventSource": "rdsdataapi.amazonaws.com",
"eventName": "ExecuteStatement",
"awsRegion": "us-west-1",
"sourceIPAddress": "3.126.2.15",
"userAgent": "aws-cli/1.16.102 Python/3.7.2 Windows/10 botocore/1.12.92",
"requestParameters": {
"resourceArn": "arn:aws:rds:us-west-1:123456789012:cluster:db",
"sql": "UPDATE transactions SET amount = amount - 100 WHERE
from_account = '12345' AND to_account = '54321"},
18. AWS Community
Logging RDS Data API calls with AWS CloudTrail
More info: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/logging-using-cloudtrail-data-api.html
"userIdentity": {
"arn": "arn:aws:iam::123456789012:user/johndoe"
},
"eventTime": "2024-02-14T00:49:34Z",
"eventSource": "rdsdataapi.amazonaws.com",
"eventName": "ExecuteStatement",
"awsRegion": "us-west-1",
"sourceIPAddress": "3.126.2.15",
"userAgent": "aws-cli/1.16.102 Python/3.7.2 Windows/10 botocore/1.12.92",
"requestParameters": {
"resourceArn": "arn:aws:rds:us-west-1:123456789012:cluster:db",
"sql": "UPDATE transactions SET amount = amount - 100 WHERE
from_account = '12345' AND to_account = '54321"},