ModifyDBInstance
AWS
ModifyDBInstance
Event
Modifies an RDS instance configuration, potentially making it publicly accessible for data exfiltration.
Security Context
- Modifying an RDS instance to enable public accessibility or change security groups exposes the database to the internet, enabling direct exfiltration of sensitive data.
- Adversaries modify database configurations to weaken network controls, change master credentials, or disable encryption — all of which facilitate unauthorized data access.
Log Source
CloudTrail
Sample Event
Adversarial — exfiltration prep. Draco modifies the BOWTRUCKLE production RDS instance (bowtruckle-prod-db) to set PubliclyAccessible: true and reassign it to a security-group with 0.0.0.0/0 ingress. Combined with the master DB password he already grabbed from Secrets Manager (see aws-getsecretvalue), this gives him a direct internet-reachable connection string he can hit from his own infra. T1530 (Data from Cloud Storage Object).
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T21:42:08Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T22:25:31Z", "eventSource": "rds.amazonaws.com", "eventName": "ModifyDBInstance", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "dBInstanceIdentifier": "bowtruckle-prod-db", "publiclyAccessible": true, "vpcSecurityGroupIds": [ "sg-0graph0rnsg0001" ], "applyImmediately": true }, "responseElements": { "dBInstanceIdentifier": "bowtruckle-prod-db", "dBInstanceClass": "db.r5.4xlarge", "engine": "postgres", "dBInstanceStatus": "modifying", "masterUsername": "bowtruckle_admin", "endpoint": { "address": "bowtruckle-prod-db.cabcdef12345.us-east-1.rds.amazonaws.com", "port": 5432, "hostedZoneId": "Z2R2ITUGPM61AM" }, "publiclyAccessible": true, "vpcSecurityGroups": [ { "vpcSecurityGroupId": "sg-0graph0rnsg0001", "status": "active" } ] }, "requestID": "90000000-0000-4000-8000-000101010000", "eventID": "90000000-0000-4000-8000-000101010001", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "rds.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Exfiltration Collection
Techniques:
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.