AWS Cloud Trail Aws Credential Access Rds Password Reset
Query
AWSCloudTrail
| where EventName == "ModifyDBInstance" and RequestParameters has_any ("manageMasterUserPassword", "masterUserPassword", "masterUserSecretKmsKeyId", "rotateMasterUserPassword", "tdeCredentialPassword")
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events related to the modification of database instances. Here's a simple breakdown of what the query does:
-
Data Source: It starts by looking at the
AWSCloudTraildata, which contains logs of AWS API calls. -
Filter Criteria: The query filters the logs to find events where the
EventNameis "ModifyDBInstance". This means it is specifically interested in actions that modify database instances. -
Password-Related Changes: It further narrows down the results to only include events where the request parameters involve changes to the database's master user password or related security settings. This is done using the
has_anyfunction to check for specific keywords like "manageMasterUserPassword", "masterUserPassword", "masterUserSecretKmsKeyId", "rotateMasterUserPassword", and "tdeCredentialPassword". -
Role Information: The query uses
invoke AWSIdentityRole()to enrich the data with information about the AWS identity role associated with the event. -
Data Projection: Finally, it selects a wide range of fields to display in the results, including details about the event's timing, the user identity, account information, AWS region, source IP address, event type, request parameters, and more.
In summary, this query is used to track and analyze specific modifications to AWS database instances, particularly focusing on changes related to the master user password, and provides detailed information about these events for further investigation or auditing purposes.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
Keywords
Operators