RestoreDBInstanceFromDBSnapshot
Event
Restores an RDS instance from a snapshot, enabling an attacker to access database contents by spinning up a copy.
Security Context
- Restoring a database from a snapshot creates a fully accessible copy of the data at the time of the snapshot, allowing an attacker to exfiltrate sensitive data without touching the production database.
- This technique is commonly used to bypass network restrictions on production databases — the restored instance can be placed in a different VPC or made publicly accessible for direct data extraction.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Exfiltration
Techniques:
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage. Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage.