Skip to content

ModifyDBInstance

AWS

ModifyDBInstance

service: AWS - RDS
techniques:

Event

Modifies an RDS instance configuration, potentially making it publicly accessible for data exfiltration.

Security Context

  • Modifying an RDS instance to enable public accessibility or change security groups exposes the database to the internet, enabling direct exfiltration of sensitive data.
  • Adversaries modify database configurations to weaken network controls, change master credentials, or disable encryption — all of which facilitate unauthorized data access.

Log Source

CloudTrail

Sample Event

Adversarial — exfiltration prep. Draco modifies the BOWTRUCKLE production RDS instance (bowtruckle-prod-db) to set PubliclyAccessible: true and reassign it to a security-group with 0.0.0.0/0 ingress. Combined with the master DB password he already grabbed from Secrets Manager (see aws-getsecretvalue), this gives him a direct internet-reachable connection string he can hit from his own infra. T1530 (Data from Cloud Storage Object).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T21:42:08Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T22:25:31Z",
"eventSource": "rds.amazonaws.com",
"eventName": "ModifyDBInstance",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"dBInstanceIdentifier": "bowtruckle-prod-db",
"publiclyAccessible": true,
"vpcSecurityGroupIds": [
"sg-0graph0rnsg0001"
],
"applyImmediately": true
},
"responseElements": {
"dBInstanceIdentifier": "bowtruckle-prod-db",
"dBInstanceClass": "db.r5.4xlarge",
"engine": "postgres",
"dBInstanceStatus": "modifying",
"masterUsername": "bowtruckle_admin",
"endpoint": {
"address": "bowtruckle-prod-db.cabcdef12345.us-east-1.rds.amazonaws.com",
"port": 5432,
"hostedZoneId": "Z2R2ITUGPM61AM"
},
"publiclyAccessible": true,
"vpcSecurityGroups": [
{
"vpcSecurityGroupId": "sg-0graph0rnsg0001",
"status": "active"
}
]
},
"requestID": "90000000-0000-4000-8000-000101010000",
"eventID": "90000000-0000-4000-8000-000101010001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "rds.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Exfiltration Collection

Techniques:
  • T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.