RestoreDBInstanceFromDBSnapshot
AWS
RestoreDBInstanceFromDBSnapshot
Event
Restores an RDS instance from a snapshot, enabling an attacker to access database contents by spinning up a copy.
Security Context
- Restoring a database from a snapshot creates a fully accessible copy of the data at the time of the snapshot, allowing an attacker to exfiltrate sensitive data without touching the production database.
- This technique is commonly used to bypass network restrictions on production databases — the restored instance can be placed in a different VPC or made publicly accessible for direct data extraction.
Log Source
CloudTrail
Sample Event
Adversarial. Draco restores phoenix-prod-db-snapshot-2026-04-12 (a snapshot of the production OCCAMY metrics DB taken by the PHOENIX backup role) into a new instance phoenix-prod-db-restored-temp in a non-prod VPC. To enable direct extraction, he sets PubliclyAccessible: true and attaches a permissive security group sg-0graph0rnsg0001. The restored instance contains the same data as production but lives in a different network context, bypassing the production VPC’s egress controls. Maps cleanly to T1530 (Data from Cloud Storage) — production data accessed via a side door.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T19:53:14Z", "eventSource": "rds.amazonaws.com", "eventName": "RestoreDBInstanceFromDBSnapshot", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "dBInstanceIdentifier": "phoenix-prod-db-restored-temp", "dBSnapshotIdentifier": "phoenix-prod-db-snapshot-2026-04-12", "dBInstanceClass": "db.r6g.large", "publiclyAccessible": true, "vpcSecurityGroupIds": ["sg-0graph0rnsg0001"], "dBSubnetGroupName": "default-sandbox" }, "responseElements": { "dBInstanceIdentifier": "phoenix-prod-db-restored-temp", "dBInstanceClass": "db.r6g.large", "engine": "postgres", "dBInstanceStatus": "creating", "masterUsername": "occamy_admin", "allocatedStorage": 200, "preferredBackupWindow": "07:00-08:00", "backupRetentionPeriod": 0, "vpcSecurityGroups": [ { "vpcSecurityGroupId": "sg-0graph0rnsg0001", "status": "active" } ], "publiclyAccessible": true, "storageType": "gp3", "storageEncrypted": true, "kmsKeyId": "arn:aws:kms:us-east-1:555123456789:key/60000000-0000-4000-8000-000000000001", "dbInstanceArn": "arn:aws:rds:us-east-1:555123456789:db:phoenix-prod-db-restored-temp" }, "requestID": "90000000-0000-4000-8000-000110100000", "eventID": "90000000-0000-4000-8000-000110100001", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "rds.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Exfiltration Collection
Techniques:
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.