GuardDuty generates RDS Protection finding types that indicate potentially suspicious and anomalous login behavior in your Supported databases after you enable RDS Protection. Using RDS login activity, GuardDuty analyzes and profiles threats by identifying unusual patterns in login attempts.
Note
You can access the full information about a finding type by selecting it from the GuardDuty active finding types.
Follow these recommended steps to remediate a potentially compromised Amazon Aurora database in your AWS environment.
Topics
Remediating potentially compromised
database with successful login events
The following recommended steps can help you remediate a potentially compromised Aurora database that exhibits unusual behavior related to successful login events.
-
Identify the affected database and user.
The generated GuardDuty finding provides the name of the affected database and the corresponding user details. For more information, see Finding details.
-
Confirm whether this behavior is expected or unexpected.
The following list specifies potential scenarios that may have caused GuardDuty to generate a finding:
-
A user who logs in to their database after a long time has passed.
-
A user who logs in to their database on an occasional basis, for example, a financial analyst who logs in each quarter.
-
A potentially suspicious actor who is involved in a successful login attempt potentially compromises the database.
-
-
Begin this step if the behavior is unexpected.
-
Restrict database access
Restrict database access for the suspected accounts and the source of this login activity. For more information, see Remediating potentially compromised credentials and Restrict network access.
-
Assess the impact and determine what information was accessed.
-
If available, review the audit logs to identify the pieces of information that might have been accessed. For more information, see Monitoring events, logs, and streams in an Amazon Aurora DB cluster in the Amazon Aurora User Guide.
-
Determine if any sensitive or protected information was accessed or modified.
-
-
Remediating potentially compromised database
with failed login events
The following recommended steps can help you remediate a potentially compromised Aurora database that exhibits unusual behavior related to failed login events.
-
Identify the affected database and user.
The generated GuardDuty finding provides the name of the affected database and the corresponding user details. For more information, see Finding details.
-
Identify the source of the failed login attempts.
The generated GuardDuty finding provides the IP address and ASN organization (if it was a public connection) under the Actor section of the finding panel.
An Autonomous System (AS) is a group of one or more IP prefixes (lists of IP addresses accessible on a network) run by one or more network operators that maintain a single, clearly-defined routing policy. Network operators need Autonomous System Numbers (ASNs) to control routing within their networks and to exchange routing information with other internet service providers (ISPs).
-
Confirm that this behavior is unexpected.
Examine if this activity represents an attempt to gain additional unauthorized access to the database as follows:
-
If the source is internal, examine if an application is misconfigured and attempting a connection repeatedly.
-
If this is an external actor, examine whether the corresponding database is public facing or is misconfigured and thus allowing potential malicious actors to brute force common user names.
-
-
Begin this step if the behavior is unexpected.
-
Restrict database access
Restrict database access for the suspected accounts and the source of this login activity. For more information, see Remediating potentially compromised credentials and Restrict network access.
-
Perform root-cause analysis and determine the steps that potentially led to this activity.
Set up an alert to get notified when an activity modifies a networking policy and creates an insecure state. For more information, see Firewall policies in AWS Network Firewall in the AWS Network Firewall Developer Guide.
-
Remediating potentially compromised
credentials
A GuardDuty finding may indicate that the user credentials for an affected database have been
compromised when the user identified in the finding has performed an unexpected database
operation. You can identify the user in the RDS DB user details section
within the finding panel in the console, or within the resource.rdsDbUserDetails
of
the findings JSON. These user details include user name, application used, database accessed, SSL
version, and authentication method.
-
To revoke access or rotate passwords for specific users that are involved in the finding, see Security with Amazon Aurora MySQL, or Security with Amazon Aurora PostgreSQL in the Amazon Aurora User Guide.
-
Use AWS Secrets Manager to securely store and automatically rotate the secrets for Amazon Relational Database Service(RDS) databases. For more information, see AWS Secrets Manager tutorials in the AWS Secrets Manager User Guide.
-
Use IAM database authentication to manage database users' access without the need for passwords. For more information, see IAM database authentication in the Amazon Aurora User Guide.
For more information, see Security best practices for Amazon Relational Database Service in the Amazon RDS User Guide.
Restrict network access
A GuardDuty finding may indicate that a database is accessible beyond your applications, or
Virtual Private Cloud (VPC). If the remote IP address in the finding is an unexpected connection
source, audit the security groups. A list of security groups attached to the database is
available under Security groups in the https://console.aws.amazon.com/rds/resource.rdsDbInstanceDetails.dbSecurityGroups
of the findings JSON. For more
information on configuring security groups, see Controlling access with
security groups in the Amazon RDS User Guide.
If you're using a firewall, restrict network access to the database by reconfiguring the Network Access Control Lists (NACLs). For more information, see Firewalls in AWS Network Firewall in the AWS Network Firewall Developer Guide.