AWS Cloud Trail AWS RDS Instance Publicly Exposed
Query
AWSCloudTrail
| where EventName in ("CreateDBInstance", "ModifyDBInstance")
and isempty(ErrorCode)
and isempty(ErrorMessage)
| where tobool(todynamic(RequestParameters)["publiclyAccessible"])
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific database instance activities. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by accessing the
AWSCloudTraildata, which contains logs of AWS API calls. -
Filter Events: It filters the logs to include only events where a database instance is either created or modified. This is specified by the
EventNamebeing either "CreateDBInstance" or "ModifyDBInstance". -
Error Check: It ensures that these events did not encounter any errors by checking that both
ErrorCodeandErrorMessageare empty. -
Public Accessibility: It further filters the events to include only those where the database instance is set to be publicly accessible. This is determined by checking the
publiclyAccessibleparameter in theRequestParameters. -
Invoke Additional Function: The query uses the
invoke AWSIdentityRole()function to enrich the data with additional identity-related information. -
Select Columns: Finally, it selects a wide range of columns to display, including details about the event timing, user identity, account information, AWS region, event source, and more.
In summary, this query identifies successful creation or modification of publicly accessible database instances in AWS, providing detailed information about each event and the associated user identity.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
Keywords
Operators