Skip to content

RestoreDBInstanceFromDBSnapshot

AWS

RestoreDBInstanceFromDBSnapshot

service: AWS - RDS
techniques:

Event

Restores an RDS instance from a snapshot, enabling an attacker to access database contents by spinning up a copy.

Security Context

  • Restoring a database from a snapshot creates a fully accessible copy of the data at the time of the snapshot, allowing an attacker to exfiltrate sensitive data without touching the production database.
  • This technique is commonly used to bypass network restrictions on production databases — the restored instance can be placed in a different VPC or made publicly accessible for direct data extraction.

Log Source

CloudTrail

Sample Event

Adversarial. Draco restores phoenix-prod-db-snapshot-2026-04-12 (a snapshot of the production OCCAMY metrics DB taken by the PHOENIX backup role) into a new instance phoenix-prod-db-restored-temp in a non-prod VPC. To enable direct extraction, he sets PubliclyAccessible: true and attaches a permissive security group sg-0graph0rnsg0001. The restored instance contains the same data as production but lives in a different network context, bypassing the production VPC’s egress controls. Maps cleanly to T1530 (Data from Cloud Storage) — production data accessed via a side door.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:53:14Z",
"eventSource": "rds.amazonaws.com",
"eventName": "RestoreDBInstanceFromDBSnapshot",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"dBInstanceIdentifier": "phoenix-prod-db-restored-temp",
"dBSnapshotIdentifier": "phoenix-prod-db-snapshot-2026-04-12",
"dBInstanceClass": "db.r6g.large",
"publiclyAccessible": true,
"vpcSecurityGroupIds": ["sg-0graph0rnsg0001"],
"dBSubnetGroupName": "default-sandbox"
},
"responseElements": {
"dBInstanceIdentifier": "phoenix-prod-db-restored-temp",
"dBInstanceClass": "db.r6g.large",
"engine": "postgres",
"dBInstanceStatus": "creating",
"masterUsername": "occamy_admin",
"allocatedStorage": 200,
"preferredBackupWindow": "07:00-08:00",
"backupRetentionPeriod": 0,
"vpcSecurityGroups": [
{
"vpcSecurityGroupId": "sg-0graph0rnsg0001",
"status": "active"
}
],
"publiclyAccessible": true,
"storageType": "gp3",
"storageEncrypted": true,
"kmsKeyId": "arn:aws:kms:us-east-1:555123456789:key/60000000-0000-4000-8000-000000000001",
"dbInstanceArn": "arn:aws:rds:us-east-1:555123456789:db:phoenix-prod-db-restored-temp"
},
"requestID": "90000000-0000-4000-8000-000110100000",
"eventID": "90000000-0000-4000-8000-000110100001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "rds.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Exfiltration Collection

Techniques:
  • T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.