ModifyDBInstance
Event
Modifies an RDS instance configuration, potentially making it publicly accessible for data exfiltration.
Security Context
- Modifying an RDS instance to enable public accessibility or change security groups exposes the database to the internet, enabling direct exfiltration of sensitive data.
- Adversaries modify database configurations to weaken network controls, change master credentials, or disable encryption — all of which facilitate unauthorized data access.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Exfiltration
Techniques:
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage.