Query Details
AWS Cloud Trail AWS RDS Instance Publicly Exposed
Query
AWSCloudTrail
| where EventName in ("CreateDBInstance", "ModifyDBInstance")
and isempty(ErrorCode)
and isempty(ErrorMessage)
| where tobool(todynamic(RequestParameters)["publiclyAccessible"])
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query retrieves information from the AWSCloudTrail logs for events related to creating or modifying a database instance. It filters out events with no error code or error message. It also filters events where the "publiclyAccessible" parameter is set to true. The query then invokes the AWSIdentityRole function and projects specific fields from the logs.
Details
Jose Sebastián Canós
Released: December 1, 2023
Tables
AWSCloudTrail
Keywords
Devices,Intune,User
Operators
whereinandisemptytobooltodynamicinvokeproject