- Utilize AWS RDS Data API for secure database access and operations - CloudTrail for auditing and activity monitoring - Investigating incidents and preventing unauthorized access - PostgreSQL Auditing (pgAudit) extension

1. Communit
y
AWS Community
AWS RDS Data API and CloudTrail
Who drop the Table?
Vladimir Cageyv Samoylov

2. AWS Community
Key Takeaway
- Utilize AWS RDS Data API for secure database access and operations
- CloudTrail for auditing and activity monitoring
- Investigating incidents and preventing unauthorized access
- PostgreSQL Auditing (pgAudit) extension

3. AWS Community
Key Services
Amazon Aurora PostgreSQL CloudTrail

4. Vladimir Samoylov
CTO & Principal Consultant @FivexL
Founder @ZoJump
https://cageyv.dev/

5. The Story

6. AWS Community
Who did that?
-- Initial intended transfer
INSERT INTO transactions (from_account, to_account, amount, date)
VALUES ('12345', '67890', 100, '2024-02-12');
-- Attacker's transfer
INSERT INTO transactions (from_account, to_account, amount, date)
VALUES ('67890', 'attacker_account', 100, '2024-02-12');
-- Obscure the transaction
UPDATE transactions
SET from_account = 'unknown', to_account = 'unknown'
WHERE id = (SELECT MAX(id) FROM transactions);
-- Drop the audit_logs table
DROP TABLE audit_logs;

7. AWS Community
PostgreSQL Auditing (pgAudit) extension
More info:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.pgaudit.html

8. AWS Community
Database Logs. Notifications
...
2024-02-12 19:09:49 UTC:...:john_doe@postgres:[11701]:LOG: AUDIT:
OBJECT,1,1,READ,UPDATE,TABLE,public.transactions,UPDATE transactions SET
amount = amount - 100 WHERE from_account = '12345' AND to_account = '54321';
...
More info:
https://aws.amazon.com/blogs/database/build-proactive-database-monitoring-for-amazon-rds-with-amazon-cloudwatch
-logs-aws-lambda-and-amazon-sns/

9. Who was the “john_doe”?

10. AWS Community
"Action": ["rds-db:connect"],
"Resource":
["arn:aws:rds-db:us-west-2:1234567890:db:db-ABCDEFGHIJKL01234/john_doe"]
CREATE USER john_doe;
GRANT rds_iam TO john_doe;
export RDSHOST="db.1234567890.us-west-2.rds.amazonaws.com"
export PGPASSWORD="$(aws rds generate-db-auth-token --hostname
$RDSHOST --port 5432 --region us-west-2 --username john_doe )"
IAM database authentication
More info:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html

11. AWS Community
AWS Session Manager and Bastion Hosts
More info:
https://aws.amazon.com/blogs/mt/implementing-aws-session-manager-logging-guardrails-in-a-multi-account-environme
nt/

12. AWS Community
AWS RDS Proxy for IAM authentication
More info:
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy.html

13. AWS Community
Turn on the Enhanced Logging feature of RDS Proxy. Logging gives detailed
information about the SQL statements. These logs are a useful resource to help
you understand certain authentication issues. Because this adds to performance
overhead, it's a best practice to turn them on only for debugging. To minimize
overhead, RDS Proxy automatically turns this setting off 24 hours after you turn it
on.
RDS Proxy limitations
More info: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy-setup.html

14. AWS RDS Data API

15. AWS Community
AWS RDS Data API Use Cases
More info:
https://aws.amazon.com/blogs/database/using-the-data-api-to-interact-with-an-amazon-aurora-serverless-mysql-databa
se/

16. AWS Community
Query Editor for Amazon Aurora
More info: https://aws.amazon.com/blogs/database/using-the-data-api-to-interact-with-an-amazon-aurora-serverless-mysql-database/

17. AWS Community
Logging RDS Data API calls with AWS CloudTrail
More info: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/logging-using-cloudtrail-data-api.html
"userIdentity": {
"arn": "arn:aws:iam::123456789012:user/johndoe"
},
"eventTime": "2024-02-14T00:49:34Z",
"eventSource": "rdsdataapi.amazonaws.com",
"eventName": "ExecuteStatement",
"awsRegion": "us-west-1",
"sourceIPAddress": "3.126.2.15",
"userAgent": "aws-cli/1.16.102 Python/3.7.2 Windows/10 botocore/1.12.92",
"requestParameters": {
"resourceArn": "arn:aws:rds:us-west-1:123456789012:cluster:db",
"sql": "UPDATE transactions SET amount = amount - 100 WHERE
from_account = '12345' AND to_account = '54321"},

18. AWS Community
Logging RDS Data API calls with AWS CloudTrail
More info: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/logging-using-cloudtrail-data-api.html
"userIdentity": {
"arn": "arn:aws:iam::123456789012:user/johndoe"
},
"eventTime": "2024-02-14T00:49:34Z",
"eventSource": "rdsdataapi.amazonaws.com",
"eventName": "ExecuteStatement",
"awsRegion": "us-west-1",
"sourceIPAddress": "3.126.2.15",
"userAgent": "aws-cli/1.16.102 Python/3.7.2 Windows/10 botocore/1.12.92",
"requestParameters": {
"resourceArn": "arn:aws:rds:us-west-1:123456789012:cluster:db",
"sql": "UPDATE transactions SET amount = amount - 100 WHERE
from_account = '12345' AND to_account = '54321"},

19. AWS Community
SSO-Elevator (Just in Time Access)
More info: https://github.com/fivexl/terraform-aws-sso-elevator

20. AWS Community
Temporary Access to RDS Data API
More info: https://github.com/fivexl/terraform-aws-sso-elevator

21. AWS Community
Guard Duty RDS Protection
More info:
https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html

22. Thank You
https://www.linkedin.com/in/vladimirsamoylov/