Query Details

AWS Cloud Trail AWS DB Snapshot Publicly Exposed

Query

AWSCloudTrail
| where EventName in ("ModifyDBClusterSnapshotAttribute", "ModifyDBSnapshotAttribute")
| where todynamic(RequestParameters)["attributeName"] == "restore"
| mv-expand Item = todynamic(RequestParameters)["valuesToAdd"] to typeof(string)
| where Item == "all"
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events related to modifying database snapshot attributes. Here's a simplified breakdown of what the query does:

  1. Filter Events: It starts by filtering the logs to only include events where the event name is either "ModifyDBClusterSnapshotAttribute" or "ModifyDBSnapshotAttribute". These events are related to changes in database snapshot attributes.

  2. Check Attribute Name: It further filters these events to only include those where the attribute being modified is "restore". This is done by examining the RequestParameters to see if the attributeName is "restore".

  3. Expand Values: The query then expands the valuesToAdd field within RequestParameters to check if it includes the value "all". This indicates that the modification allows the snapshot to be restored by any AWS account.

  4. Invoke AWS Identity Role: The query uses a function invoke AWSIdentityRole() to enrich the data with additional identity-related information.

  5. Select Specific Fields: Finally, it selects a set of fields to be displayed in the output, such as the time the event was generated, user identity details, account information, event details, and more.

In summary, this query is used to identify and analyze events where database snapshot attributes are modified to allow restoration by all AWS accounts, providing detailed information about the identity and context of these events.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrailEventNameRequestParametersItemAWSIdentityRoleTimeGeneratedUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameManagementEventReadOnlyErrorCodeErrorMessageResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId

Operators

|in==todynamic()mv-expandto typeof()invokeproject

Actions

GitHub