Query Details
AWS Cloud Trail AWS DB Snapshot Publicly Exposed
Query
AWSCloudTrail
| where EventName in ("ModifyDBClusterSnapshotAttribute", "ModifyDBSnapshotAttribute")
| where todynamic(RequestParameters)["attributeName"] == "restore"
| mv-expand Item = todynamic(RequestParameters)["valuesToAdd"] to typeof(string)
| where Item == "all"
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query retrieves specific events from the AWSCloudTrail logs related to modifying database cluster and snapshot attributes. It filters for events where the attribute being modified is "restore" and expands the values added for that attribute. It then invokes the AWSIdentityRole function to retrieve additional information about the user and project specific fields of interest.
Details
Jose Sebastián Canós
Released: February 12, 2024
Tables
AWSCloudTrail
Keywords
EventName,ModifyDBClusterSnapshotAttribute,ModifyDBSnapshotAttribute,RequestParameters,attributeName,restore,valuesToAdd,all,AWSIdentityRole,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId
Operators
whereintodynamic==mv-expandtotypeofinvokeproject