AWS Cloud Trail AWS DB Snapshot Publicly Exposed
Query
AWSCloudTrail
| where EventName in ("ModifyDBClusterSnapshotAttribute", "ModifyDBSnapshotAttribute")
| where todynamic(RequestParameters)["attributeName"] == "restore"
| mv-expand Item = todynamic(RequestParameters)["valuesToAdd"] to typeof(string)
| where Item == "all"
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events related to modifying database snapshot attributes. Here's a simplified breakdown of what the query does:
-
Filter Events: It starts by filtering the logs to only include events where the event name is either "ModifyDBClusterSnapshotAttribute" or "ModifyDBSnapshotAttribute". These events are related to changes in database snapshot attributes.
-
Check Attribute Name: It further filters these events to only include those where the attribute being modified is "restore". This is done by examining the
RequestParametersto see if theattributeNameis "restore". -
Expand Values: The query then expands the
valuesToAddfield withinRequestParametersto check if it includes the value "all". This indicates that the modification allows the snapshot to be restored by any AWS account. -
Invoke AWS Identity Role: The query uses a function
invoke AWSIdentityRole()to enrich the data with additional identity-related information. -
Select Specific Fields: Finally, it selects a set of fields to be displayed in the output, such as the time the event was generated, user identity details, account information, event details, and more.
In summary, this query is used to identify and analyze events where database snapshot attributes are modified to allow restoration by all AWS accounts, providing detailed information about the identity and context of these events.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
Keywords
Operators